Is "1" password still "1" password too many?

At a recent conference, I was speaking with a CISO of a F2000 enterprise. We were discussing passwords and the risk that passwords present to their enterprise and brand.

I was really impressed to find out that their company had invested heavily in single-sign-on for all of their corporate applications.

After personally working for the last three decades in technology and leadership roles for similarly sized organizations, I found the fact that his organization had invested such a substantial level effort and expense into a comprehensive application of a single-sign-on to be pretty incredible.

The fact that all their employees could literally just have "1" password to remember, manage and use said a lot about this company's attitudes and values towards security and reducing friction around the user experience of their technology.

Today's Password-based Paradigm - The Security Logic

This CISO further informed me that his organization viewed this "1" password approach as a massive reduction in their company's risk exposure for vulnerabilities associated with passwords versus the average organization which imposes on their employees to remember, manage and keep safe a multitude of passwords for various systems.

This confidence got me thinking...

Does having only "1" password per employee really reduce risk?

The logic that swirled around in my mind was:

• no need to manage "many" passwords
• no need for password manager applications
• only "1" password to reset
• better user experience to simply remember "1" password, and a higher likelihood that their employees won't have to write that password down somewhere

Security's Biggest Weakness - Us (the humans)

From there I got to thinking about the patterns I have observed - both in myself and others - in the real-life of corporate world behavior.

Beyond the "umbrella of coverage" that the company's single-sign-on applications and associated "circle of trust" envelop for corporate applications - there lives a huge spectrum of 3rd party web and mobile services that fall "outside" of that umbrella.

These include everything from car rental, to hotels, wifi hotspot, airlines, etc., just to name a few that are associated with travel alone.

No surprises here, right?

Now, layering on the behavior pattern created when we help users standardize on the use of "1" password for everything...

What password is it likely that the users are going to use for all of these 3rd party web and mobile sites - that fall outside the "corporate umbrella of trust" coverage?

Here's where the "human" aspect of this enters the picture. My guess is that some, maybe a significant number, will use the same or a variation on their "1" password.

That "1" password, well outside of the corporate umbrella of trust, might as well be considered to be as safe as a password at Marriott, Equifax, Yahoo, etc. has been in the last year.

Given that, then...

Having just "1" password is "1" too many. Right?

While many companies in the F2000 believe single-sign-on to be the "state-of-the-art", there is a better way, one that moves past the current "password paradigm" (future blog post on that subject!).

At Vouch, our Vouch Zero Password product removes the need for passwords and integrates to your SSO platform, providing maximum security while removing all the friction of having even just "1" password.