Is web single sign on (SSO) less secure than having many passwords?  If they crack my account, they gain access to many services at one go, so it must be worse?

Some of the reasons the reasoning is flawed

  • In practice end users chose to have the same password on multiple services.  Given a cracked account, trial and error will give access to other services.
  • If end users are forced to having too many passwords (more than 2-3), they write down the information.  Often the written information is on a yellow sticky note under the keyboard or on the desk lamp.  This is not secure.  Universities are open, and students mill around in all corners.  Students have eyes, and many have memories.
  • Storing passwords at each individual service provides a multitude of cracking vectors.  Attacking a service will eventually yield an account that may be used to further gather passwords.
  • If the account is cracked, the user may notice it earlier if the every day services are affected.  This reduces the exposure time of the cracked account, and helps reduce the consequences of a cracked account.
  • It is easier to have a stringent operational regime for a single password store and a web single sign on service than to have the same strictness for every single web service.  This does not apply for security solutions where all the security is at a single firewall at the perimeter.  It does apply to real live services on the Internet, or any service exposed to hostile users.  Daily operations and data access is grossly underestimated in most security considerations.
  • Minimal data exposure is good engineering.

Putting all the eggs in one basket may be a good idea if the basket is well guarded and you watch your steps.