back to article How poor crypto housekeeping left OpenID open to abuse

Slipshod cryptographic housekeeping left some OpenID services far less secure than they ought to be. OpenID is a shared identity service that enables users to eliminate the need for punters to create separate IDs and logins for websites that support the service. A growing number of around 9,000 websites support the decentralised …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

"The modern equivalent of a small earthquake in Chile"

I wonder how many people will get this reference from the 1930s?

"Small earthquake in Chile. Not many dead." was (according to Claud Cockburn, 1904-1981) the winner of a competition for the dullest newspaper headline, but this may well have been his invention, in both senses!

0
0

old SSL certificates

If only there was some kind of online certificate status protocol that could be used to determine if a certificate was valid. Then Sun could make sure no one misused the old cert.

0
0
Paris Hilton

Defective by design

Am I the only person who thinks that having a single point of entry to all of an individuals accounts across multiple websites is, perhaps, not a great idea?

Personally I'd much rather, and do, have multiple logins and multiple passwords. At least that way if some scumbag manages to brute force one of my accounts the others are still relatively safe.

This whole openID thing just seems a little dubious to me.

Paris, cos she's got more than one point of entry.

0
0
Silver badge
Linux

Sun don't eat their own dog food ?

So Sun aren't using Solaris anymore, eh ?

0
0
Thumb Up

@Defective by design

I wouldn't use openId for banking but if I type a password into irc/msn/whatever, I would rather change it in one place than many.

With the current system of isolated authentication, there is a tradeoff between remembering dozens of passwords (and probably choosing less secure ones as a result) and reusing passwords on many sites (which risks the password being leaked and makes changing password much more difficult)

0
0

It's "Light Blue Touchpaper"...

The extra 'the' spoils the Cambridge in-joke. Good article, though.

0
0
Anonymous Coward

@Andrew Shirley

"there is a tradeoff between remembering dozens of passwords (and probably choosing less secure ones as a result) and reusing passwords on many sites"

You forget the third option, which is the most sensible option in my view: invent complicated passwords, all of them different, and keep them in a text file, which you keep encrypted with another complicated password, which is the only password your will really need to remember.

0
0
This topic is closed for new posts.

Forums