The primary benefit of using SSL for your OpenID URL is that it gives the relying party a mechanism to discover if DNS has been tampered with. And while I’m on the subject, It’s impossible for the relying party to tell if an OpenID URL with a self-signed certificate has been compromised.

There are other benefits you get from using SSL on your provider’s endpoint URL (easier to establish associations, no eavesdropping on the extension data) which would still hold if you used a self-signed cert, but I would consider those to be secondary.

Ok, it doesn’t have to be a 1, maybe a 2, or qaz? If someone was to guess it, it would take them much longer then if it was the same. Or you can check this post out. http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/

Good idea, no one would ever think of trying that.

(My sarcasm tag didn’t display properly)

Good idea, no one would ever think of trying that.

“But then again, what happens if your third party OpenID provider gets hacked or something? It’s a catch 22.”

That’s why OpenID is a bad idea. Too much risk. It might make sense for a site where you have to log on to post a comment or newspaper sites that make you log on to read articles, or maybe some other sites that have absolutely no personal information attached to them. But if you think OpenID is a good idea for financial sites, email accounts, or other high-value logons you’re crazier that I thought.

There isn’t a whole lot of difference and they are both REALLY bad ideas. Just look at what happened to the Twitter employee who used the same password for multiple accounts.

Hoever, one big difference is that using the same logon and password for multiple accounts still allows you to change each account if you wish. If you use OpenID they are all using THE SAME logon and password, so if one is compromised they are by definition all compromised. If I happen to use the same logon and password at multiple sites and I fear any one of them has been compromised, I can always go to the others and change my password.

Use different random passwords for each account and use a product like KeePass or Password Safe to keep all your passwords secure.

But then again, what happens if your third party OpenID provider gets hacked or something? It’s a catch 22.

For example, when posting on other Blogs, or other things that you will visit once in a Blue moon, OpenID is good to have. But seriously, out of all the websites that you have to log in to or register an account for a site that you probably would never visit again, OpenID is great. It is a quick and easy, one step signup. No entering names, emails etc.
It is hard trying to remember them all, thus remembering those different passwords, so chances are you have one password already that you use on multiple sites. For example, your Myspace, facebook, twitter password is probably the same. What’s the difference of using the same password, you my as well use OpenID

I just think that having another OpenID provider running instead of running your own software for OpenID is much more secure. For example, if a security flaw is found in phpMyID it will possibly allow your account to be compromised unless you keep a vigilant eye on it, something other OpenID providers are staking their business on and ostensibly have whole teams dedicated to keeping themselves secure.

I actually came to the same realization a year or so ago, after really digging my teeth into it. The only reason I keep an OpenID account forwarded (like the above) to my personal URL – is I use Verisign PIP authentication with a OTP (One time password) keychain so that it is more secure than username/password combo. However, let’s say someone employed at Verisign decides to hack or compromise account information in some way, then all your accounts are vulnerable.

Sometimes, the best password policy is to have 3 or 4 passwords you use on different sites to try to help mitigate the effect if one of your account passwords is somehow compromised.