LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security quotes of the week

[Posted January 26, 2011 by jake]

Advocates for data retention typically focus narrowly on the benefits afforded to law enforcement without accounting for the massive costs and extreme security risks that come with storing significant quantities of data about every Internet user — databanks that will prove to be irresistible not only to government investigators but also civil litigants (read: ex-spouses, insurance companies, disgruntled neighbors) and malicious hackers of every stripe. A legal obligation to log users' Internet use, paired with weak federal privacy laws that allow the government to easily obtain those records, would dangerously expand the government's ability to surveil its citizens, damage privacy, and chill freedom of expression.
-- Electronic Frontier Foundation in its Deeplinks blog

We first jumped on the OpenID bandwagon back in 2007 when it was seen as a promising way to make logging into websites simpler. What we've learned over the past three years is that it didn't actually make anything any simpler for the vast majority of our customers. Instead it just made things harder. Especially when people were having problems with the often flaky OpenID providers and couldn't log into their account. OpenID has been a burden on support since the day it was launched.
-- 37signals drops OpenID support
(Log in to post comments)

OpenID

Posted Jan 27, 2011 21:30 UTC (Thu) by CortoMaltese (guest, #56615) [Link]

I've also found that OpenID has become a control point of sorts. All the big players (Google, Yahoo, etc.) want to be OpenID providers, but they are not accepting OpenIDs provided by others.

Security quotes of the week

Posted Jan 27, 2011 22:08 UTC (Thu) by ScottMinster (subscriber, #67541) [Link]

It's too bad some people are having trouble with OpenID. I've never had much trouble with it, myself. But some of the links mention issues with MS and Google fighting over standards, so maybe that's where the trouble is -- I've always used MyOpenID, through a redirect on my domain. That's the part I like the best about OpenID. If MyOpenID isn't a good provider, I can very easily change to a different one, theoretically without affecting any site I log into. I've never tried that; maybe that works better in theory than in practice.

It would be nice if more sites used OpenID so I didn't have to make separate accounts there (*cough* LWN *cough*)

Security quotes of the week

Posted Jan 27, 2011 23:38 UTC (Thu) by ballombe (subscriber, #9523) [Link]

It would also be nice if it was easier to set up a openid provider, instead of delegating identification to a third party.

Security quotes of the week

Posted Jan 28, 2011 6:56 UTC (Fri) by The_Barbarian (subscriber, #48152) [Link]

Idiots. I don't even join sites that don't have OpenID anymore.

And LWN should add OpenID. Hopefully before I decide to start dropping sites that don't have it.

Security quotes of the week

Posted Jan 28, 2011 22:10 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I don't even join sites that don't have OpenID anymore.

Strange that that works for you. I guess I have an identity on about 50 sites, and only two of them take OpenID (both as an option). And one of them doesn't work -- says Yahoo provides the wrong version of OpenID.

I thought it was dead.

Security quotes of the week

Posted Jan 29, 2011 19:24 UTC (Sat) by docwhat (subscriber, #40373) [Link]

I've never had problems with OpenID that weren't my own doing (I set up some bogus rewrite rules on my web-site that broke my OpenID provider). If my provider fails, it reverts back to using myopenid, and several others.

The exception is Source Forge, which never worked for any of my providers....so I continue to use my old password login. But if they ever get it to work, then my OpenIDs will work because I associated it.

I have close to a hundred trusted OpenID sites on my own provider (Thank you Will Norris and his WordPress OpenID provider). I don't know how many on the other ones.

Ciao!

Open ID

Posted Jan 29, 2011 20:36 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

I forgot about Sourceforge. That makes three sites I use that claim to take Open ID, and two don't work. (I tried SF again just now, and the symptom is it creates a new SF user for me when I attempt to log in with the Yahoo OpenID that is associated with my real SF user).

Maybe OpenID is actually available in more places and I've just learned to tune it out because of these bad experiences. I can certainly see the point of the OpenID detractors: I just spent 30 minutes futzing with OpenID on Sourceforge, whereas traditional userid/password is quick, easy, and requires no special skill.

On the other side of the coin: Sourceforge reports today that someone may have stolen Sourceforge passwords. If someone stole mine, he has access to fifty other accounts of mine, and I'm certainly not going to change my password on all of those.

Open ID

Posted Jan 31, 2011 18:19 UTC (Mon) by docwhat (subscriber, #40373) [Link]

It is definitely the case that comparing "same user/pass on all accounts" to source forge isn't an apple/oranges comparison. "Put all your eggs in one basket and guard that basket" is how I treat my openid providers.

Open ID

Posted Feb 3, 2011 21:19 UTC (Thu) by ggiunta (guest, #30983) [Link]

You mean it was not already stolen in the gawker breach? ;-)
I too used to have a low-security password for 95% of web accounts so far, but I am thinking about better schemes at the moment

A better password scheme

Posted Feb 5, 2011 10:25 UTC (Sat) by paulj (subscriber, #341) [Link]

Here's a good scheme for not-so-important stuff, that will ensure you'll never forget a password and that breaches at any 1 web site will never compromise other accounts of yours at other sites:

1. Auto-generate a *distinct* random password for each web site that wants one

2. Save it to a file

E.g. (you may wish to make it more robust):

#!/bin/bash

PASSWORDDIR=~/.notsosecrets

echo "$1 `mkpasswd -s 0 -l 12`" >> $PASSWORDDIR/.password."$1".txt
cat PASSWORDDIR/.password."$1".txt

And use it like:

notsosecret example.com

And then cut&paste the password into the form on example.com and have your browser remember it if it can.

Security quotes of the week

Posted Jan 30, 2011 1:35 UTC (Sun) by jthill (guest, #56558) [Link]

? sf takes my launchpad openid just fine.

Security quotes of the week

Posted Jan 31, 2011 18:16 UTC (Mon) by docwhat (subscriber, #40373) [Link]

Yeah, it's working for me now. A bit convoluted to attach it to my old account, but it's all working...so I'm happy.

Considering I filed a bug and described what the issue was, I'm surprised I didn't get notified when they fixed it. Though their comments at the time were un-helpful.

Ciao!

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds