The safe way to use one Internet password

( -- A little-used Internet authentication system from the 1980s could provide the answer for enabling web users to securely log in only once per Internet session, a Queensland University of Technology researcher has found.

PhD researcher Suriadi, from QUT's Information Security Institute, said a secure single-sign on system was more than simply using the same password for multiple accounts.

Mr Suriadi said any future single-sign on systems, which could potentially give web users access to a multitude of accounts, including email, bank and shopping, would require extreme privacy to avoid information spies and account hackers.

"Single-sign on systems are already being used by organisations," he said.

"For example, a bank could link their Internet banking site to an online trading site, thus relieving users from having to perform an extra log in step.

"However, if one of the parties is compromised, for example by a virus, a 'denial of service' attack or insecure set-up, it puts all the user's linked accounts at risk."

Mr Suriadi said his research investigated a little-used "anonymous credential system" which dates back to the 1980s, but recently received renewed interest from the research community.

"Using this credential system, we could enhance the security and privacy of a single sign-on system," he said.

"The system works by revealing as little information about who you are as necessary for logging into an account, therefore allowing you to remain anonymous.

"This way, a company wouldn't be able to track your shopping habits and target spam or marketing at you. This method could also confirm you are over 18 and not reveal your birthday."

Mr Suriadi said a single sign-on system backed by the anonymous credential system required the cooperation of businesses and organisations to enable it.

"One use of this could be for the research community, with online libraries and databases applying the anonymous credential system so that the privacy of researchers can be preserved," he said.

"This would be useful for people researching sensitive issues."

Mr Suriadi said for the purposes of accountability, such a system would also allow authorities to revoke users' anonymity in cases of illegal activity.

Explore further

Human error puts online banking security at risk

More information: Suriadi, S., Foo, E., and Jøsang, A. 2009. A user-centric federated single sign-on system. J. Netw. Comput. Appl. 32, 2 (Mar. 2009), 388-401.
Citation: The safe way to use one Internet password (2010, February 25) retrieved 18 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Feb 25, 2010
Most large enterprises use some sort of single sign-on system internally already (such as ). The reason companies are able to do this internally is because there's one CIO in charge who can tell his employees to do it.

It will never work globally across the internet because there's no one CIO in charge of the internet and SSO integration is a massive and disruptive effort that requires all participating parties to first agree on a standard and then implement it on their servers. There will always be a bunch of competing mini-SSOs revolving around Facebook or Amazon or some other userbase and a huge set of standalone sites such as banks, utility companies, etc. Maybe in 10-20-30 years we'll have some new security paradigm, but hopefully it'll be more realistic and concrete than regurgitating the SSO idea and saying all we have to do now is get all the millions of websites and billions of users to use it.

Feb 25, 2010
Like the article said, this idea of screening your personal information has been around for nearly 3 decades. I still use a the old program called Luckman's Anonymous Cookie although I have heavily modified it for a 64 bit environment. But its hard to teach everyone how to identify phishing schemes and what is safe and secure versus what is malicious. It's even harder to get everyone to use mixed upper and lower case, alpha-numeric, and special character passwords for good security.

Feb 25, 2010
I think the idea of a single password is a ploy to make the system have an easier time getting into all of your stuff.

So now when you get hacked, they get everything instead of just one thing.

I'll be blunt, this idea sounds retarded and I don't think I would subscribe to it. The government would like nothing more for you to have a single password, and to have you log in to use the net, so they can boot you and censor free speech if you voice dissent against your system while it rolls out tyranny.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more