The safe way to use one Internet password

Feb 25, 2010

(PhysOrg.com) -- A little-used Internet authentication system from the 1980s could provide the answer for enabling web users to securely log in only once per Internet session, a Queensland University of Technology researcher has found.

PhD researcher Suriadi, from QUT's Information Security Institute, said a secure single-sign on system was more than simply using the same password for multiple accounts.

Mr Suriadi said any future single-sign on systems, which could potentially give web users access to a multitude of accounts, including email, bank and shopping, would require extreme privacy to avoid information spies and account hackers.

"Single-sign on systems are already being used by organisations," he said.

"For example, a bank could link their Internet banking site to an online trading site, thus relieving users from having to perform an extra log in step.

"However, if one of the parties is compromised, for example by a virus, a 'denial of service' attack or insecure set-up, it puts all the user's linked accounts at risk."

Mr Suriadi said his research investigated a little-used "anonymous credential system" which dates back to the 1980s, but recently received renewed interest from the research community.

"Using this credential system, we could enhance the security and privacy of a single sign-on system," he said.

"The system works by revealing as little information about who you are as necessary for logging into an account, therefore allowing you to remain anonymous.

"This way, a company wouldn't be able to track your shopping habits and target spam or marketing at you. This method could also confirm you are over 18 and not reveal your birthday."

Mr Suriadi said a single sign-on system backed by the anonymous credential system required the cooperation of businesses and organisations to enable it.

"One use of this could be for the research community, with online libraries and databases applying the anonymous credential system so that the privacy of researchers can be preserved," he said.

"This would be useful for people researching sensitive issues."

Mr Suriadi said for the purposes of accountability, such a system would also allow authorities to revoke users' anonymity in cases of illegal activity.

Explore further: MIT groups develop smartphone system THAW that allows for direct interaction between devices

More information: Suriadi, S., Foo, E., and Jøsang, A. 2009. A user-centric federated single sign-on system. J. Netw. Comput. Appl. 32, 2 (Mar. 2009), 388-401. dx.doi.org/10.1016/j.jnca.2008.02.016

Related Stories

Human error puts online banking security at risk

Nov 07, 2007

Using an SMS password as an added security measure for internet banking is no guarantee your money is safe, according to a new Queensland University of Technology study which reveals online customers are not protecting their ...

IBM software safeguards consumer identity on the Web

Jan 26, 2007

IBM today announced software that allows people to hide or anonymize their personal information on the Web, ensuring protection from identity theft and other misuse. Developed by researchers at IBM's laboratory in Zurich, ...

Recommended for you

Computerized emotion detector

Sep 16, 2014

Face recognition software measures various parameters in a mug shot, such as the distance between the person's eyes, the height from lip to top of their nose and various other metrics and then compares it with photos of people ...

Cutting the cloud computing carbon cost

Sep 12, 2014

Cloud computing involves displacing data storage and processing from the user's computer on to remote servers. It can provide users with more storage space and computing power that they can then access from anywhere in the ...

Teaching computers the nuances of human conversation

Sep 12, 2014

Computer scientists have successfully developed programs to recognize spoken language, as in automated phone systems that respond to voice prompts and voice-activated assistants like Apple's Siri.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

fourthrocker
not rated yet Feb 25, 2010
It would be about time. With one password we could remember a complex one easily. Nah, makes too much sense, won't happen.
ralph_wiggum
not rated yet Feb 25, 2010
Most large enterprises use some sort of single sign-on system internally already (such as http://www.ca.com...x?ID=166 ). The reason companies are able to do this internally is because there's one CIO in charge who can tell his employees to do it.

It will never work globally across the internet because there's no one CIO in charge of the internet and SSO integration is a massive and disruptive effort that requires all participating parties to first agree on a standard and then implement it on their servers. There will always be a bunch of competing mini-SSOs revolving around Facebook or Amazon or some other userbase and a huge set of standalone sites such as banks, utility companies, etc. Maybe in 10-20-30 years we'll have some new security paradigm, but hopefully it'll be more realistic and concrete than regurgitating the SSO idea and saying all we have to do now is get all the millions of websites and billions of users to use it.
extremity
1 / 5 (1) Feb 25, 2010
Like the article said, this idea of screening your personal information has been around for nearly 3 decades. I still use a the old program called Luckman's Anonymous Cookie although I have heavily modified it for a 64 bit environment. But its hard to teach everyone how to identify phishing schemes and what is safe and secure versus what is malicious. It's even harder to get everyone to use mixed upper and lower case, alpha-numeric, and special character passwords for good security.
stealthc
3 / 5 (2) Feb 25, 2010
I think the idea of a single password is a ploy to make the system have an easier time getting into all of your stuff.

So now when you get hacked, they get everything instead of just one thing.

I'll be blunt, this idea sounds retarded and I don't think I would subscribe to it. The government would like nothing more for you to have a single password, and to have you log in to use the net, so they can boot you and censor free speech if you voice dissent against your system while it rolls out tyranny.