Skip to main content


Episode 364 of the #osspodcast in which Kurt had bad shwarma, @joshbressers agrees that good shwarma is great, and we learn that it's also hard to know what's in your software even if you do #SBOM https://opensourcesecurity.io/2023/02/26/episode-364-using-sboms-is-hard/ TL;DR: We got different kinds of SBOM, SBOM drift, services and APIs, and then there some complicated problems on top of all that. Also legal obligations.
I’ve been enjoying your podcast for quite a while. But I recall you mention SSO is the future. Until then password managers are the second best thing. But why? For user’s perspective I feel password managers are the safest and easiest to use (I don’t like being redirected). I see benefits in SSO for administrators, but not for end users.
The answer to this isn't simple and I think we've discussed it long ago. I'm too lazy to try to find it, so I'll do my best

Password mangers are great, if you can get people to use them. The fundamental problem with a password manager is for normal people, the experience is very bad. It's complicated, and clunky, and if they forget their master password it's all over

SSO as we use it today is also terrible. If you get locked out of your gmail account, it's pretty much over
We need SSO that looks a bit more like current enterprise SSO. Account recovery being the important goal

Of course we also need a way to multi-factor that SSO because if an attacker gains access you have huge problems, but that's a huge problem in itself

I think the single biggest advantage SSO gives us outside of the hilarious ease at which we can login, is the security of a proper SSO system
A properly run SSO can watch for broad attacks and stop them for everyone. You get to see a lot of behavior data. You know if they login from California, then try to login from Russia 12 minutes later, something is wrong

But none of this is real or possible today. Having a few well run central SSO authorities won't be cheap. It would be a huge money sink I imagine. A bit like the post office

But we can dream 😀

In the meantime, we can keep using password managers