You could say single-sign on has become a key to my daily survival. I need so many passwords to get through the day that I’ve pinned a lot of my hopes on it. Naturally, I was none too pleased to see that researchers have found big cracks in such single-sign on vehicles as OpenID and the system Facebook uses. The details are in this article by my colleague Cameron Scott from the IDG News Service. Scott writes: The researchers, from Indiana University Bloomington and Microsoft Research, say they have found a number of serious flaws in OpenID and the single-sign on system used by Facebook, as well as implementations of those systems at several popular websites. Google and PayPal are among the users of OpenID. “The problem here is that the authentication system makes life easier but it makes security management more challenging,” said XiaoFeng Wang, one of the authors of the study. Phooey. In one of the flaws the researchers exposed, for example, not all websites confirmed that a verification coming from OpenID included all of the items the website asked to be confirmed, such as the first name, last name and email address. The researchers were able to access the request, delete one piece of requested information (the email address, for example) as it went to OpenID and simply re-insert it in the signed okay from OpenID. In this way, even a hacker who didn’t control the email address linked to the user’s account on the website in question could log in, and potentially make purchases, using that person’s account. Using Facebook’s authentication system, researchers were able to persuade third-party websites that they were somebody else and hijack that person’s legitimate Facebook account. Double phooey. The researchers cast a small net for the study, gunning for the protocols used by Sears, Yahoo,Web-based project management application Smartsheet, FarmVille’s Facebook portal and The New York Times website, Scott writes. The research shines a light on serious problems. Fortunately, the cracks discovered were documented and fixed. The findings have not shaken my faith in single-sign on. Every protocol has its flaws, and it was only a matter of time before these were discovered. In my world, single-sign on still beats having to remember dozens of passwords that hang off the brain like a thick chain of keys hanging from a belt loop. There’s the password for the work blog, the personal blog, Twitter, Facebook, my bank, Amazon, all the sites for the electric and gas for the house, the phones, the cable, etc. I’m drowning, and will take all the single-sign on help I can get, even if there are cracks in the armor. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe