The Upside of Heartbleed: SAML-based SSO to Manage Passwords

The Heartbleed bug has generated a lot of catastrophic commentary and reverberating repercussions since it was publicly disclosed on April 7. ‘Catastrophic’ is the right word,” wrote Internet security expert Bruce Schneier on his blog. “On the scale of 1 to 10, this is an 11.” That intensity of reaction is not surprising given estimates that around half a million of the Internet’s secure web servers (some 17 percent) were believed to be vulnerable to attack due to Heartbleed, in addition to countless embedded devices such as firewalls and routers.

SSO Reduces Password Toll on Employees

In a recent CIO Journal/Wall Street Journal article “Report: Passwords Take a Toll on Employees”, author Rachael King cites the findings of a recent study by the National Institute of Standards and Technology (NIST) with single sign on as a solution to remedy employee attempts to cope with authentication across multiple devices and applications, and having to remember too many passwords. According to King, the NIST study found that “…employees may follow poor security measures in navigating password-protected systems because they are simply trying to get their work done…[and] are often aware that coping mechanisms such as writing down passwords or reusing…

HeartBleed and Passwords

Once more the evil of passwords is demonstrated. This time it’s the HeartBleed bug that can expose chunks of data known by a web server to hackers. Passwords – and their ability to gain access to anything they protect – are the most obvious target. Technical aside: for those of you that don’t have the time to read the cert advisory (https://www.us-cert.gov/ncas/alerts/TA14-098A), here is a summary. The current version of the security library used by many web servers (OpenSSL) has a flaw that allows an attacker to send an information request (TLS heartbeat) to a server that reads way more…