Talk:Password synchronization

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The security discussion seems a bit muddled. If a user's password is uncovered from a password synchronization system due to a lower level of protection or encryption in one system, that would indeed compromise that user's password on all systems that receive password synchronization, but the same is true with a single sign-on system. If a password is uncovered by a key logger, say, in a single sign-on system, that password is still compromised and would grant full access to all systems that the single sign-on supports.

The only difference with a password synchronization system is that it might send passwords to systems that use weaker hashing or password protection, whereas a single sign-on system should use the same level of cryptographic strength for all applications and systems in the network. A user's password, once compromised, is no less compromised or powerful with a single sign-on system.

Now, if a single sign-on system takes advantage of two-factor authentication or the like, that would provide more protection than a password synchronization system which uses single factor authentication across an organization. Jonabbey (talk) 06:14, 3 March 2013 (UTC)