Good solution but it has a flaw. It's better for hackers to steal SSO of many users and get access to their services throw attacking single SSO. However all says that SSO is highly protected and blah-blah but it will be cheaper to find vulnerabilities and attack a single service instead of a couple ones. Like it was with lastpass.
No solution fixes all problems in security. The goal can't be perfection or we will always fail. The goal has to be to continue to make the system more secure. Absolute secure doesn't exist with an operational system. The question should be, is it more secure as a result?
LastPass is server dependent. Something like Enpass allows you to have the encrypted SSO that you can store anywhere you like. If hackers get to it it's because you misplaced your password manager file
@@jeffcrume In my opinion, in security - damage control is more important, including the limitation of attack spread. Everything that has access, doesnt matter how secure will be broken at some time. So I think it is more important detect it in time and limit the damage than building the walls.
@@CenturionKenshin which is why MFA can help here. If implemented well, it would be very hard for an attacker to get all credentials if they have to defeat a strong authentication solution first
There can be different kinds of failures -- availability is certainly one type. A well architected SSO solution would have failover capabilities so it has no single point of failure from an availability standpoint as well
Wow ..this is awesome . Sir ,i have completed my course on cyber security law ..it's so interesting...hope i will get a job soon so that i can explore and learn more about it and contribute positively to securing the cyber space ..
Isn;t this identity federation? I thought the SSO is the contract between the client (browser) and the IDP so that if different systems use the same identity provider for authentication, they can login without explicitly authenticated.
That’s certainly one way to do it and the most common one when you are crossing identity domains that you don’t directly control. However, there can be SSO within an org across its various sites as well that may not require federation protocols
They could but why would they? The SSO system could actually set different pw’s for each system automatically so it would actually require more effort for them to override this and result in lower security and no apparent benefit
@@jeffcrume Hi, but wouldn't the PA password provide access to all three systems anyhow? If they have the PW to SSO, surely the access to all systems will be given? Won't the systems assume that the user is who they are because they have password PA?
SPoF here is the guy with the smile :) and always will be. SSO makes it easier to get one password to rule it all and MFA would not help, if guy_with_the_smile's butt is on fire :)
SSO is supposed to be coupled with permissions. That way the higher the privilege of a given account, the stricter the protocol needed to use that account.
Humans are usually the weakest link, for sure, but with well implemented MFA and other controls, you lessen the likelihood that the user is compromised or, inadvertently contributes to the compromise. A malicious user intent on harm is a different matter. This is where oversight with things like User Behavior Analytics can help
@@jeffcrume I just like to get to/put to extreme in/for hypothetical situations. User Behaviour Analytics can help to some degree indeed but in this case we might probably would talk about damage control.
I swear we have a lady that calls in almost every 3-4 days that she has forgot her main Windows login password. How is that even possible? Are people really that stupid?
That’s why you should use multi-factor authentication to get into the SSO system. That way the compromise of a single password doesn’t result in compromise of the whole system
@@jeffcrume Yes but then we can use MFA in first case as well correct? Use same password for all the systems with MFA. We're back to square one. How do you respond to this question?
Failure comes in many forms. Failure of the system to be available, failure of the system to produce the intended results, failure to complete a task in a reasonable time or failure to keep information secure are just a few examples
I don't considera myself a super smart person, but sometimes I can't understand why people can't figure our some very simple solutions. Just create a sead with about 6 to 8 characters like j%7&=83. Now, of you need to create an account in Google, take the first 2 and last 2 letters, and glue them to your seed: GOj%7&=83LE. Of you are creating ot in Yahoo, then YAj%7&=83OO. There. You have virtually one password per website and you just need to remember one thing (the seed). No need for vault, no need for SSO. Why this is not obvious to everyone is beyond me.
what if you need to change 1 password? you break your formula. "oh that's fine I'll make another one." how do you keep track of all the new 20 formulas? you write them down. again. use a vault for god's sake.
Because if someone discovers that seed and the method of creating passwords then they’ll just recreate that process when attempting to log into these other accounts.
The problem is that if anyone sees one or two of these passwords, the formula is pretty easily determined and, therefore, can be extrapolated to other systems. This might be an option for very low security systems where the cost of compromise is negligible, but insufficient for really sensitive stuff.
There is no such thing as absolute security on any system that is operational. It's always a question of risk analysis, which was the subject of this video ... ruclips.net/video/xt_Cdtvjbd4/видео.html
I am enjoying this channel every time
Good solution but it has a flaw. It's better for hackers to steal SSO of many users and get access to their services throw attacking single SSO. However all says that SSO is highly protected and blah-blah but it will be cheaper to find vulnerabilities and attack a single service instead of a couple ones. Like it was with lastpass.
No solution fixes all problems in security. The goal can't be perfection or we will always fail. The goal has to be to continue to make the system more secure. Absolute secure doesn't exist with an operational system. The question should be, is it more secure as a result?
LastPass is server dependent. Something like Enpass allows you to have the encrypted SSO that you can store anywhere you like. If hackers get to it it's because you misplaced your password manager file
@@jeffcrume In my opinion, in security - damage control is more important, including the limitation of attack spread. Everything that has access, doesnt matter how secure will be broken at some time. So I think it is more important detect it in time and limit the damage than building the walls.
@@CenturionKenshin which is why MFA can help here. If implemented well, it would be very hard for an attacker to get all credentials if they have to defeat a strong authentication solution first
Short and precise ❤
Let's always do good 🙏
This is so informative. Thank you for making this video.
Thanks for watching!
Isn't single point of failure more related to availablity. What if the SSO application goes down or is not accessible?
There can be different kinds of failures -- availability is certainly one type. A well architected SSO solution would have failover capabilities so it has no single point of failure from an availability standpoint as well
Good work.. we're getting there step by step..
Wow ..this is awesome .
Sir ,i have completed my course on cyber security law ..it's so interesting...hope i will get a job soon so that i can explore and learn more about it and contribute positively to securing the cyber space ..
Best of luck to you Nair!
Worth it... Bravo 👏
Wow! This is so good! Perfectly explained
This was very helpful and well explained. Thank you!
Beautifully explained
Thank you sir
Isn;t this identity federation? I thought the SSO is the contract between the client (browser) and the IDP so that if different systems use the same identity provider for authentication, they can login without explicitly authenticated.
That’s certainly one way to do it and the most common one when you are crossing identity domains that you don’t directly control. However, there can be SSO within an org across its various sites as well that may not require federation protocols
What about keypass?
thank you ! :)
nice explanation
So this is safe then, right.is that when you get google mixed numbers letters.! I have concussion why at hospital. Tts bad dr said.
P1=P2=Pn, and what will make the user not do PA=P1=Pn ..., but PA != P1 != Pn in the SSO case ?
They could but why would they? The SSO system could actually set different pw’s for each system automatically so it would actually require more effort for them to override this and result in lower security and no apparent benefit
@@jeffcrume Hi, but wouldn't the PA password provide access to all three systems anyhow? If they have the PW to SSO, surely the access to all systems will be given? Won't the systems assume that the user is who they are because they have password PA?
Please..... Please... Please
SPoF here is the guy with the smile :) and always will be. SSO makes it easier to get one password to rule it all and MFA would not help, if guy_with_the_smile's butt is on fire :)
SSO is supposed to be coupled with permissions. That way the higher the privilege of a given account, the stricter the protocol needed to use that account.
Humans are usually the weakest link, for sure, but with well implemented MFA and other controls, you lessen the likelihood that the user is compromised or, inadvertently contributes to the compromise. A malicious user intent on harm is a different matter. This is where oversight with things like User Behavior Analytics can help
@@jeffcrume I just like to get to/put to extreme in/for hypothetical situations. User Behaviour Analytics can help to some degree indeed but in this case we might probably would talk about damage control.
@@shapshooter7769 PAM is good, but again if entry point is the user(I'm not talking user doing it willingly), one can not do anything even with PAM.
I swear we have a lady that calls in almost every 3-4 days that she has forgot her main Windows login password. How is that even possible? Are people really that stupid?
I think you answered your own question 😂
Does anyone watch this video just to learn english like me?
I hoping it is helping you in that regard as well, although, my English is not always the best. Just ask my high school Grammar teacher ... 😂
No
Isn't SSO like his third example. The SSO password gets compromised, it will provide access to the rest.
That’s why you should use multi-factor authentication to get into the SSO system. That way the compromise of a single password doesn’t result in compromise of the whole system
@@jeffcrume Yes but then we can use MFA in first case as well correct? Use same password for all the systems with MFA. We're back to square one. How do you respond to this question?
@@rahuljayekar2685 without SSO, u will need log-in in all webs independently
SPoF is when sso stopped working, not when someone figured user’s password.
Failure comes in many forms. Failure of the system to be available, failure of the system to produce the intended results, failure to complete a task in a reasonable time or failure to keep information secure are just a few examples
I don't considera myself a super smart person, but sometimes I can't understand why people can't figure our some very simple solutions.
Just create a sead with about 6 to 8 characters like j%7&=83. Now, of you need to create an account in Google, take the first 2 and last 2 letters, and glue them to your seed: GOj%7&=83LE. Of you are creating ot in Yahoo, then YAj%7&=83OO.
There. You have virtually one password per website and you just need to remember one thing (the seed). No need for vault, no need for SSO.
Why this is not obvious to everyone is beyond me.
what if you need to change 1 password? you break your formula. "oh that's fine I'll make another one." how do you keep track of all the new 20 formulas? you write them down. again. use a vault for god's sake.
Because if someone discovers that seed and the method of creating passwords then they’ll just recreate that process when attempting to log into these other accounts.
The problem is that if anyone sees one or two of these passwords, the formula is pretty easily determined and, therefore, can be extrapolated to other systems. This might be an option for very low security systems where the cost of compromise is negligible, but insufficient for really sensitive stuff.
Password manager solves this, Bitwarden solves this. Wasted my time
+ it's e2e encrypted, bitwarden for the win
SSO is NO Longer SAFE! HELL, WHAT IS?🤔🤔
There is no such thing as absolute security on any system that is operational. It's always a question of risk analysis, which was the subject of this video ... ruclips.net/video/xt_Cdtvjbd4/видео.html