For those not familiar, OpenID is a system that allows you to sign in to multiple websites using one identity. So, rather than have a different username and password for each site, you would just sign into each one using your OpenID credentials. In addition to the convenience this offers, there’s a security benefit in that the websites you use OpenID with don’t ever see the password you entered to gain access to their site.
This works by delegating the authentication out to the OpenID provider. Essentially, OpenID-enabled websites trust OpenID providers, so when you go to a given OpenID website it redirects you to your provider, where you log in with your OpenID credentials. You are then seamlessly redirected back to the site, and your provider tells the site in the background, “This person is good to go…”
So at that point you’re authenticated to the site without it ever having seen your password, and you didn’t have to click around to multiple sites: it all happened with a single login. This is stellar, but there’s a downside.
The ‘Eggs and Baskets’ Counterargument
While the scenario above keeps websites from getting your OpenID password during legitimate website logins, many have raised a valid question:
Without question, the answer is yes. But that doesn’t mean necessarily that consolidating on an OpenID identity is less secure; the risk assessment is more complex than that. And that’s where the discussion gets interesting.
So, we’ve established that OpenID keeps indvidual websites from having access to your passwords. We know that is good, so we’ll mark that as a positive. We also know that putting all one’s security eggs in one password basket increases the impact of a password compromise–so that’s a negative.
We can also add the following assumptions pretty safely:
users tend to use poor passwords
users share these poor passwords across websites and services
therefore, a compromise at one site often leads to a compromise at others
So the question really becomes:
There’s also another downside to OpenID that must be factored in: the phishing threat. This is where a user thinks he/she is being redirected to log into their OpenID provider, when in fact they are being shown an attacker’s website. So, when they enter their credentials the bad guy has just stolen the password not just to one site, but to every site they use OpenID with.
But again, we don’t want to give the impression that OpenID is any more prone to phishing than any other service–it’s not. The issue isn’t an increased ease of compromise of OpenID credentials (there isn’t any), but rather the increased damage that could result if they were compromised.
But if you think that’s bad, it’s nothing compared to the danger we already face today.
The Weakest Link: Email Password Reset Mechanisms
Most people–and I dare say even most security professionals–don’t realizethat the greatest vulnerability to website password security doesn’t comefrom having multiple passwords spread out over many sites. It actuallycomes from the mother of all single points of failure–the email-basedpassword reset mechanism.
OpenID is a potential single point of failure, for some subset ofonline users, at some point in the future. Email, on the other hand, is asingle point of failure for almost everyone–right now.
Think about it: when you forget your password, how do youreset it for the majority of the sites you use? Right, email. That meansthat the way into virtually all those different websites isthrough your email account. This leads us to a startling conclusion: theabsolute most important password you have is the password to your emailaccount.
The other backdoor into your accounts is the question-answer system wherebyyou are asked some questions like, “What’s the name of your favorite pet?”,or “What was the name of your first High School?” These systems constitutea major weakness in online security for the simple reason thatguessing these answers is often much easier than guessing yourpassword.
A Risk Discussion
Ok, so now we’ve laid some things out on the table: multiple weak passwords spread across sites, single points of failure, etc.–let’s look at them, and see where the risk tradeoffs lead us. Keep in mind: while I am experienced in information security this analysis definitely subject to interpretation. Follow me along in my logic and let me know if you disagree.
Many Weak Passwords vs. Single Point of Failure with OpenID
First off, I’d say that using an OpenID with a solid provider, a strong password (preferably with two-factor authentication) is going to yield an overall more secure posture for the average user than that same person using weak passwords (which are often shared) on individual websites. The key here is that if any of those passwords on those multiple sites are cracked, via whatever method, it’s likely to lead to the cracking of other sites as well.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
The phishing narrative, which is often relayed in order to dissuade people from considering OpenID, is not nearly as compelling as it appears. This is because that same attack would work today, for those same users who’d be vulnerable to an OpenID phish, if they were to be sent to a fake GMail or Yahoo! Mail login. That attack is rather trivial, and looks something like this:
Capture the victim’s email password via phishing
Use the password reset mechanism at the various sites you want to crack of theirs
Collect and reset those passwords from the compromised email account
In other words, this attack is nearly identical to the hypothetical OpenID single-point-of-failure (SPOF) attack, but email account phishing is a single point of failure that most everyone has, so it’s a threat right now.
So What Do We Do?
So here are the things you can do immediately to improve your online security posture:
Go, right now, and change your email password. Make it as complex aspossible and don’t use a scheme or pattern that you’ve used in the past.Make it around 8 characters (you get diminishing returns beyond that) andmake sure to use upper-case, lower-case, numbers, and at least one specialcharacter.
Modify your password reset questions and answers for your email account(if you have them). If you have the option, create your own questions, anduse answers that only you would know. Don’t be like Sarah Palin (solid advice on a number of levels) and use something that can be looked up (she got her email hacked by using her High School name). If you’re forced to use canned questions, be tricky: consider answering “Friday” for favorite food, or “7129” for your favorite pet’s name.
Sign up for an OpenID account. I suggest PIP from VerisignLabs because they offer a number of two-factor options (I use their soft token). Make this password a good one, and don’t base it off of any patterns you’ve used in the past. Pay special attention to your reset mechanisms (see numbers 1 and 2), and enable the two-factor option if at all possible. Enable the requirement on your OpenID account (PIP) to require that you be signed in before the incoming authentication request be granted.
For your sensitive accounts (I’d say this includes social networking sites in most cases) use your OpenID account wherever you can. And where you do, be sure to change your local, website-based password (which you’ll be mapping your OpenID to) to something complex. Consider using a password-generator tool for generating and managing those passwords–something like 1Password or Password Safe. You hopefully won’t have to use them much, as you’ll be using your OpenID in most cases.
These four things should enhance your online security significantly, and doing just the first two will get you a solid measure of the benefits. Also, if you have anything to add to this analysis, or if you think I’ve mishandled or omitted something, please do let me know in the comments. ::