Tuesday, July 05, 2005

Passwords as Global identifiers

There seems to be a perception in the industry that federated identity, in that it connects together previously isolated web sites, will only contribute to the identity theft problem by exacerbating the ramifications of any successful attack. Break one link through a phish or otherwise, and the whole chain is yours (with a little trial and error).

But, most users reuse passwords across the various sites they deal with (the more sophisticated may not exactly reuse the same password but rather have some scheme for generating memorable passwords from some seed and the site name in question).

So, in a sense, the accounts of many users at their different providers are already linked - linked through the duplicated passwords those users have at the different sites.

No comments: