Security Encyclopedia

Identity Sprawl

Identity sprawl refers to the growth in the many separate, incompatible accounts a user creates to access online services. As the number of accounts increases, the user’s identity is said to spread, scatter, or “sprawl” almost needlessly as a more unified approach would do the opposite by consolidating identity.

Systems that merge or synthesize identity are helpful from a usability and security perspective. Users prefer to manage fewer credentials, and a consequence of identity sprawl is that users recycle passwords across different services leaving enterprises open to credential-stuffing. Lost or stolen credentials’ availability on the dark web makes dictionary, brute force, and hybrid attacks a worthwhile undertaking since the difficulty posed by starting an attack with known credentials increases the likelihood of its success, and therefore its profitability.

Examples of identity systems that fuse identity together are single sign-on (SSO) in the enterprise and social sign-on on Facebook or LinkedIn, so consumers can access other platforms with Facebook’ or LinkedIn’s federated identity capability.

Example:

“My New Year’s resolution is to close all of these useless accounts for online services I no longer use. This identity sprawl is a nuisance and risky since I know there are some embarrassingly simple passwords that I’ve used over and over again.”