LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

authenticating with XMPP ID (jabber address)

authenticating with XMPP ID (jabber address)

Posted May 28, 2008 12:58 UTC (Wed) by rfunk (subscriber, #4054)
In reply to: authenticating with XMPP ID (jabber address) by martinfick
Parent article: The problem(s) with OpenID 

If email authentication is used to reset my password, then access to my 
email is equivalent to access to my password.  It doesn't matter whether 
it's intendended to be a rare occurrence or an everyday occurrence; the 
equivalence is the same either way.  (This is why I hate systems that 
require me to give them an answer to some simple question "in case I 
forget my password," since that answer ends up being a weak 
password-equivalent.)


Your spurious HA complaint has already been well-addressed by others.

(Log in to post comments)

Nope. Paswords reset != access to password

Posted May 28, 2008 16:53 UTC (Wed) by khim (subscriber, #9252) [Link]

If email authentication is used to reset my password, then access to my email is equivalent to access to my password.

If you can only reset the password then you can not use email as password replacement. You can not return password back to original state thus any such access will be visible for original owner. It's enough for many things.

This is why I hate systems that require me to give them an answer to some simple question "in case I forget my password," since that answer ends up being a weak password-equivalent.

You can always fix the system by entering word from /dev/random there. On the other hand lack of such a system will be a disaster for "normal" people who are not accustomed to world of IT where it is possible to create virtually unbreakable lock. They expect that police can always open the door if needed...

authenticating with XMPP ID (jabber address)

Posted May 28, 2008 16:57 UTC (Wed) by martinfick (subscriber, #4455) [Link] 

I was not referring to the security mechanism of using email for authentication, your
comparison there is correct email is similar.  But I was talking about the HA part for which
email authentication is not equivalent!  If you temporarily lose access to your email you are
still able to login to your accounts without it, you simply have lost the ability to "reset"
your accounts.  With openid if you temporarily lose access to your openid server, you are SOL.
This really is different.

authenticating with XMPP ID (jabber address)

Posted May 28, 2008 18:32 UTC (Wed) by tzafrir (subscriber, #11501) [Link] 

Many people today have a single point of failure: the local passwords list file.

authenticating with XMPP ID (jabber address)

Posted May 28, 2008 19:03 UTC (Wed) by martinfick (subscriber, #4455) [Link] 

These people still have at their disposal simple cheap HA solutions to this if they choose.  

1) memory
2) cp passwdfile passwdfile.bak
3) + email passwdfile.bak file to offsite email account
4) + encrypt passwdfile.bak before emailing offsite
5) cp passwdfile  to USBstick/passwdfile.bak
... the list goes on.  

While not everyone chooses to do these, at least they are reasonably available to them.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds