Slashdot Mirror
Ask Slashdot: What's Holding Up Single Sign-On?
An anonymous reader writes "Like most web users these days, I have enough accounts on enough websites – most of which have *inconsistent* password syntax restrictions — that when I need to log into a site I don't visit very often, I now basically just hit the "Forgot Password" button immediately. Microsoft's "Passport" gave us the promise of a single web sign-on. What happened to that idea? Why hasn't some bright spark (or ubiquitous web corporation) already made a fortune standardizing on one? I can now buy my coffee with my phone. Why do I have to still scratch my passwords on the underside of my desk?"
Yes. Exactly. All the SSO I need.
I have a FB account, but, since when do I trust them to know every single website I go to? You know how many non-FB websites I have EVER logged into with my FB account? 0. Exactly 0.
As far as I can tell, the only reason they offer SSO is so they have yet more info to aggregate and sell. I don't use FB login for the same reason I don't allow my web browser (via requestpolicy) to connect to facebook at all when loading non-facebook sites.
FB doesn't need to know where I go to stream music, it doesn't need to know where I read my news or post my comments, it doesn't need to know jack shit other than what I post on my wall, on facebook.
"I opened my eyes, and everything went dark again"
Ok the problem with Single Sign on, is the fact we are all going to choose a company for the SSO.
Do enough of us really trust Microsoft, who has been in the headlines for massive security breaches.
How about Facebook, you know those guys who take your data and sends it to everyone on the face of the earth.
Perhaps Google, You will get targeted adds based on every place you login too.
Open ID, how much do you really trust a bunch of harry toe programmers, who go to these black hat hacking events?
Some distributed architectural system where you can find many points of weaknesses from some armature setup.
That is the problem with Single Sign On. We just don't have any trust, in these sources. And to have one that you trust enough for the rest of the world?
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Most password reset protocols are just a kludgy 'authentication via email' already.
I would've logged in, but I no longer have access to the email account that I used to create my /. account 10+ years ago.
Just use Keepass. Allows you to remember just one password. I use LastPass, but of course it is not for the super-paranoid (it could be hacked with all my passwords on it).
Ubuntu is an African word meaning 'I can't configure Debian'
What about OpenID. That allows anybody to be a single sign on service provider. I can even be my own single sign on service provider if I have my own domain name.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Email authentication is just another form of single sign-on
Except that he was right 10 years ago. Now, it's irrelevant as ISPs have finally implemented proper egress filtering.
On the accounts that aren't important who cares, but..
On the ones that are important at least do something simple like
$goodpassword+sitename
So you would have X43snv!yahoo
or X43snv!citibank
That way any automated attacks with your scalped email and password would fail. A dedicated attacker may see the pattern and break in, but it's at least more time consuming for them.