Connect with us

Hi, what are you looking for?


Identity & Access

I Told You SSO

Last month the French TV network, TV5Monde, had 11 of its stations’ signals disrupted by an Islamist group. Its websites and social media pages were also defaced, but the biggest immediate impact was loss of advertising revenue during the blackout.

Last month the French TV network, TV5Monde, had 11 of its stations’ signals disrupted by an Islamist group. Its websites and social media pages were also defaced, but the biggest immediate impact was loss of advertising revenue during the blackout.

And what security failure led to this embarrassing and costly security breach? One source reported that the network’s highest-level password was “azerty12345,” the French-keyboard equivalent of “qwerty12345”, making it easy for attackers to guess.

But this story gets better (or worse, depending on your perspective). While reporting on their own incident, they actually filmed a staffer in their offices with user names and passwords written down and visible in the background. Then they aired that footage for all the world to see.

IPasswords on Papert’s the security equivalent of an “own goal” in soccer.

Not just a French problem

Lest you think that this form of security self-sabotage is uniquely Gallic, last week, a BBC documentary inadvertently exposed passwords used at a British rail network’s control center. In one part of the televised segment, taped to the top of a monitor displaying track controls was the user name and password. In this case, it was quickly recognized and no security incident was reported, but the impact could have been far more devastating if trains had collided.

A crew filming a “top secret” Super Bowl security center in February 2014 exposed the WiFi network’s credentials. The list goes on.

How do we stop handing attackers our credentials?

Advertisement. Scroll to continue reading.

One way would be to stop allowing TV crews to film inside of private areas. Human nature being what it is, though, we will likely continue to want to show off our offices and control centers.

Clearly, an obvious solution is that users should be dissuaded from displaying their credentials on stickers, banners, white boards and sticky notes as well. But putting the responsibility entirely on users is a fool’s errand. “I told you so,” brings no satisfaction when intellectual data has been stolen or on the heels of a catastrophic accident.

Whose responsibility is it?

We like to say that security is everyone’s responsibility, and there is truth to that. Users are understandably at an impasse, though, when we ask them to use unique, complex passwords for every application, and to rotate them every 90 days without repetition. This makes for good security policy, while boosting the sales of Post-It Notes – in reality, this is security-driven self-sabotage.

Security teams must bear equal, if not more responsibility, for reducing the risk of credential fatigue leading to inadvertent exposure.

Reducing reliance on passwords

It should be no surprise that single-sign on (SSO) is an important part of reducing this risk, given the maturity of SSO technology. SSO reduces the number of unique passwords that users have to remember, implements far more complex passwords than users typically employ and rotates them automatically according to policy.

The challenge with SSO is that it has traditionally been limited to corporate web applications, and to a lesser degree, desktop applications. But in the example of TV5Monde, their social media accounts were also exposed. It begs the question, how are you offering SSO to cloud and social accounts? Or mobile apps?

The topic of SSO may seem passé, but we can thank these recent gaffes for breathing new life into it. SSO has to expand to meet the demands of today’s cloud, social and mobile realities. Don’t say I didn’t tell you SSO.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.