For those not familiar, OpenID is a system that allows you to sign in to multiple websites using one identity. So, rather than have a different username and password for each site, you would just sign into each one using your OpenID credentials. In addition to the convenience this offers, there’s a security benefit in that the websites you use OpenID with don’t ever see the password you entered to gain access to their site.
This works by delegating the authentication out to the OpenID provider. Essentially, OpenID-enabled websites trust OpenID providers, so when you go to a given OpenID website it redirects you to your provider, where you log in with your OpenID credentials. You are then seamlessly redirected back to the site, and your provider tells the site in the background, “This person is good to go…”
So at that point you’re authenticated to the site without it ever having seen your password, and you didn’t have to click around to multiple sites: it all happened with a single login. This is stellar, but there’s a downside.
The ‘Eggs and Baskets’ Counterargument
While the scenario above keeps websites from getting your OpenID password during legitimate website logins, many have raised a valid question:
If you are logging into all these websites with one set of credentials, doesn’t that increase the damage that can be done if your OpenID password is compromised?
Without question, the answer is yes. But that doesn’t mean necessarily that consolidating on an OpenID identity is less secure; the risk assessment is more complex than that. And that’s where the discussion gets interesting.
So, we’ve established that OpenID keeps indvidual websites from having access to your passwords. We know that is good, so we’ll mark that as a positive. We also know that putting all one’s security eggs in one password basket increases the impact of a password compromise–so that’s a negative.
We can also add the following assumptions pretty safely:
- users tend to use poor passwords
- users share these poor passwords across websites and services
- therefore, a compromise at one site often leads to a compromise at others
So the question really becomes:
Which presents more risk: weak and/or similar passwords used across multiple sites that have different security measures protecting those passwords–meaning one or more is likely to be guessed and compromised, or a stronger, single OpenID that’s protected in a known and trusted way yet resents a single point of failure?
There’s also another downside to OpenID that must be factored in: the phishing threat. This is where a user thinks he/she is being redirected to log into their OpenID provider, when in fact they are being shown an attacker’s website. So, when they enter their credentials the bad guy has just stolen the password not just to one site, but to every site they use OpenID with.
But again, we don’t want to give the impression that OpenID is any more prone to phishing than any other service–it’s not. The issue isn’t an increased ease of compromise of OpenID credentials (there isn’t any), but rather the increased damage that could result if they were compromised.
But if you think that’s bad, it’s nothing compared to the danger we already face today.
The Weakest Link: Email Password Reset Mechanisms
Most people–and I dare say even most security professionals–don’t realize that the greatest vulnerability to website password security doesn’t come from having multiple passwords spread out over many sites. It actually comes from the mother of all single points of failure–the email-based password reset mechanism.
OpenID is a potential single point of failure, for some subset of online users, at some point in the future. Email, on the other hand, is a single point of failure for almost everyone–right now.
Think about it: when you forget your password, how do you reset it for the majority of the sites you use? Right, email. That means that the way into virtually all those different websites is through your email account. This leads us to a startling conclusion: the absolute most important password you have is the password to your email account.
The other backdoor into your accounts is the question-answer system whereby you are asked some questions like, “What’s the name of your favorite pet?”, or “What was the name of your first High School?” These systems constitute a major weakness in online security for the simple reason that guessing these answers is often much easier than guessing your password.
A Risk Discussion
Ok, so now we’ve laid some things out on the table: multiple weak passwords spread across sites, single points of failure, etc.–let’s look at them, and see where the risk tradeoffs lead us. Keep in mind: while I am experienced in information security this analysis definitely subject to interpretation. Follow me along in my logic and let me know if you disagree.
Many Weak Passwords vs. Single Point of Failure with OpenID
First off, I’d say that using an OpenID with a solid provider, a strong password (preferably with two-factor authentication) is going to yield an overall more secure posture for the average user than that same person using weak passwords (which are often shared) on individual websites. The key here is that if any of those passwords on those multiple sites are cracked, via whatever method, it’s likely to lead to the cracking of other sites as well.
The phishing narrative, which is often relayed in order to dissuade people from considering OpenID, is not nearly as compelling as it appears. This is because that same attack would work today, for those same users who’d be vulnerable to an OpenID phish, if they were to be sent to a fake GMail or Yahoo! Mail login. That attack is rather trivial, and looks something like this:
- Capture the victim’s email password via phishing
- Use the password reset mechanism at the various sites you want to crack of theirs
- Collect and reset those passwords from the compromised email account
In other words, this attack is nearly identical to the hypothetical OpenID single-point-of-failure (SPOF) attack, but email account phishing is a single point of failure that most everyone has, so it’s a threat right now.
So What Do We Do?
So here are the things you can do immediately to improve your online security posture:
Go, right now, and change your email password. Make it as complex as possible and don’t use a scheme or pattern that you’ve used in the past. Make it around 8 characters (you get diminishing returns beyond that) and make sure to use upper-case, lower-case, numbers, and at least one special character.
Modify your password reset questions and answers for your email account (if you have them). If you have the option, create your own questions, and use answers that only you would know. Don’t be like Sarah Palin (solid advice on a number of levels) and use something that can be looked up (she got her email hacked by using her High School name). If you’re forced to use canned questions, be tricky: consider answering “Friday” for favorite food, or “7129” for your favorite pet’s name.
Sign up for an OpenID account. I suggest PIP from VerisignLabs because they offer a number of two-factor options (I use their soft token). Make this password a good one, and don’t base it off of any patterns you’ve used in the past. Pay special attention to your reset mechanisms (see numbers 1 and 2), and enable the two-factor option if at all possible. Enable the requirement on your OpenID account (PIP) to require that you be signed in before the incoming authentication request be granted.
For your sensitive accounts (I’d say this includes social networking sites in most cases) use your OpenID account wherever you can. And where you do, be sure to change your local, website-based password (which you’ll be mapping your OpenID to) to something complex. Consider using a password-generator tool for generating and managing those passwords–something like 1Password or Password Safe. You hopefully won’t have to use them much, as you’ll be using your OpenID in most cases.
These four things should enhance your online security significantly, and doing just the first two will get you a solid measure of the benefits. Also, if you have anything to add to this analysis, or if you think I’ve mishandled or omitted something, please do let me know in the comments. ::