LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Open ID

Open ID

Posted Jan 29, 2011 20:36 UTC (Sat) by giraffedata (subscriber, #1954)
In reply to: Security quotes of the week by docwhat
Parent article: Security quotes of the week

I forgot about Sourceforge. That makes three sites I use that claim to take Open ID, and two don't work. (I tried SF again just now, and the symptom is it creates a new SF user for me when I attempt to log in with the Yahoo OpenID that is associated with my real SF user).

Maybe OpenID is actually available in more places and I've just learned to tune it out because of these bad experiences. I can certainly see the point of the OpenID detractors: I just spent 30 minutes futzing with OpenID on Sourceforge, whereas traditional userid/password is quick, easy, and requires no special skill.

On the other side of the coin: Sourceforge reports today that someone may have stolen Sourceforge passwords. If someone stole mine, he has access to fifty other accounts of mine, and I'm certainly not going to change my password on all of those.

(Log in to post comments)

Open ID

Posted Jan 31, 2011 18:19 UTC (Mon) by docwhat (subscriber, #40373) [Link]

It is definitely the case that comparing "same user/pass on all accounts" to source forge isn't an apple/oranges comparison. "Put all your eggs in one basket and guard that basket" is how I treat my openid providers.

Open ID

Posted Feb 3, 2011 21:19 UTC (Thu) by ggiunta (guest, #30983) [Link]

You mean it was not already stolen in the gawker breach? ;-)
I too used to have a low-security password for 95% of web accounts so far, but I am thinking about better schemes at the moment

A better password scheme

Posted Feb 5, 2011 10:25 UTC (Sat) by paulj (subscriber, #341) [Link]

Here's a good scheme for not-so-important stuff, that will ensure you'll never forget a password and that breaches at any 1 web site will never compromise other accounts of yours at other sites:

1. Auto-generate a *distinct* random password for each web site that wants one

2. Save it to a file

E.g. (you may wish to make it more robust):

#!/bin/bash

PASSWORDDIR=~/.notsosecrets

echo "$1 `mkpasswd -s 0 -l 12`" >> $PASSWORDDIR/.password."$1".txt
cat PASSWORDDIR/.password."$1".txt

And use it like:

notsosecret example.com

And then cut&paste the password into the form on example.com and have your browser remember it if it can.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds