The primary goal of single sign-on is to eliminate passwords, which OneLogin can achieve using SAML, OpenID and proprietary protocols. However, most applications don't support SAML and there are even SAML-enabled applications that still require a user password, such as for POP3 and IMAP.
Having multiple passwords is undesirable because the user has to memorize them, which means they probably will be weak and the user will waste time manually entering, changing and recovering passwords. OneLogin can alleviate this by caching those passwords and automating the login process. In OneLogin terminology this is called form-based authentication.
The password used to sign into OneLogin is called the SSO password. Users who are managed directly in OneLogin will have their SSO password stored in OneLogin. Users who are managed in an external directory such as Active Directory or LDAP will have their passwords stored there.
It is sometimes useful to have OneLogin send the SSO password to other applications. For example, if your organization is using Google Apps, OneLogin can ensure your Google password is the same as your SSO password. This is done as part of the provisioning process and is built into the provisioning connector for each app.
OneLogin can also send the SSO password to applications via form-based authentication.
If you don't want OneLogin to be able to send SSO passwords to applications, you can disable this under Account > Settings > Password Controls > Enable password mapping.
Many applications require users to sign in with a password, especially applications that are not multi-user, such as CDW, Facebook, FedEx, SurveyMonkey, and Twitter. There are also real business applications that don't yet support SAML, or maybe your organization is on a plan that doesn't give you SAML capability for free. In these cases, OneLogin can store the user passwords and automate the sign-on process using form-based authentication.
Application passwords encrypted in OneLogin use an account-specific key and are decrypted on-demand before they are sent to an application. Credentials can be managed in three different ways:
- Shared – the admin configures one set of credentials that will apply to all users of the app
- Configured by users – users manage their own credentials
- Configured by admin – credentials are managed by the admin and are not accessible by the users of the app
Only in very rare cases does someone actually guess your password. Most password attacks are done by software with sophisticated algorithms. Some classes of weak passwords are:
- Dictionary words: automobile, cupcake, butterfly, atlanta, happiness. These passwords are easily hacked by computers since most dictionaries only have a few hundred thousand words. And most people only have an active vocabulary of a few thousand words.
- Short words with numbers at the end: rose123, john999, good2001
- Personal information: charlotte, 09031984. Names and personal information are easily hacked because there are few combinations.
- Default passwords: admin, password, guest etc. Many products have default values that some people never change. As an example, it's hard to find a place in a city that doesn't have at least on WiFi hotspot called linksys. And is unprotected.
Most of us know that these passwords are weak, but we also know how easily we forget and that's the reason most people have weak passwords.
A strong password is one that has high entropy or randomness. Even a lower case six-character password is not very strong if it only consists of letters because there are only 26^6 = 308,915,776 combinations. And if the password is a dictionary word, there are only a few thousand combinations.
If you mix upper and lower case characters with digits special and special character, you now have 94 different combinations per position compared to 26 if you only used lower case characters. The total number of combinations for six characters is now 94^6 = 689,869,781,056, which gives 2,000 times more combinations.
If we double the number of characters to 12, we now get 475,920,314,814,253,376,475,136 different combinations.
Strong passwords are very hard to remember and are impractical to type, which is why you want to either use a secure password manager or eliminate the use passwords as much as possible.