back to article How poor crypto housekeeping left OpenID open to abuse

Slipshod cryptographic housekeeping left some OpenID services far less secure than they ought to be. OpenID is a shared identity service that enables users to eliminate the need to create separate IDs and logins for websites that support the service. A growing number of around 9,000 websites support the decentralised service, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "The modern equivalent of a small earthquake in Chile"

    I wonder how many people will get this reference from the 1930s?

    "Small earthquake in Chile. Not many dead." was (according to Claud Cockburn, 1904-1981) the winner of a competition for the dullest newspaper headline, but this may well have been his invention, in both senses!

  2. James Henstridge

    old SSL certificates

    If only there was some kind of online certificate status protocol that could be used to determine if a certificate was valid. Then Sun could make sure no one misused the old cert.

  3. Anonymous Coward
    Paris Hilton

    Defective by design

    Am I the only person who thinks that having a single point of entry to all of an individuals accounts across multiple websites is, perhaps, not a great idea?

    Personally I'd much rather, and do, have multiple logins and multiple passwords. At least that way if some scumbag manages to brute force one of my accounts the others are still relatively safe.

    This whole openID thing just seems a little dubious to me.

    Paris, cos she's got more than one point of entry.

  4. Gordon Ross Silver badge
    Linux

    Sun don't eat their own dog food ?

    So Sun aren't using Solaris anymore, eh ?

  5. Andrew Shirley
    Thumb Up

    @Defective by design

    I wouldn't use openId for banking but if I type a password into irc/msn/whatever, I would rather change it in one place than many.

    With the current system of isolated authentication, there is a tradeoff between remembering dozens of passwords (and probably choosing less secure ones as a result) and reusing passwords on many sites (which risks the password being leaked and makes changing password much more difficult)

  6. J-Wick

    It's "Light Blue Touchpaper"...

    The extra 'the' spoils the Cambridge in-joke. Good article, though.

  7. Anonymous Coward
    Anonymous Coward

    @Andrew Shirley

    "there is a tradeoff between remembering dozens of passwords (and probably choosing less secure ones as a result) and reusing passwords on many sites"

    You forget the third option, which is the most sensible option in my view: invent complicated passwords, all of them different, and keep them in a text file, which you keep encrypted with another complicated password, which is the only password your will really need to remember.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020