Comments on: OpenID Overview and Four Awesome Providers

By: Ekpenso : Free Online Mind Mapping Software | MakeUseOf.com

Ekpenso : Free Online Mind Mapping Software | MakeUseOf.com — Sat, 05 Jul 2008 12:18:37 +0000

[...] Login with your OpenID account (What Is OpenID ?). [...]

By: Advanced Online Note Taking Made Easy | Sinlung News

Advanced Online Note Taking Made Easy | Sinlung News — Sun, 29 Jun 2008 09:00:26 +0000

[...] Springnote is a Wiki based online note taking utility. Sounds simple and that’s what it is. But even though it’s simple, it’s far from being simplistic! Springnote doesn’t come short in features, yet remains easy to use because all of the functions are useful and smart and ordered in a plain way, instantly making you feel comfortable using them. Springnote supports OpenID, which you can read about in Dave’s article OpenID Overview and Four Awesome Providers. [...]

By: Advanced Online Note Taking Made Easy | MakeUseOf.com

Advanced Online Note Taking Made Easy | MakeUseOf.com — Sat, 28 Jun 2008 19:00:31 +0000

[...] Springnote supports OpenID, which you can read about in Dave’s article OpenID Overview and Four Awesome Providers. [...]

By: MKTG2032 Links Post 29: Another mixed set « Mktg2032’s Weblog

MKTG2032 Links Post 29: Another mixed set « Mktg2032’s Weblog — Sun, 18 May 2008 23:53:33 +0000

[...] OpenID Overview and Four Awesome Providers | MakeUseOf.com OpenID providers, and some broad information on the principles, practices and where to use open ID [...]

By: Jason C

Jason C — Fri, 02 May 2008 03:46:54 +0000

I used to be concerned about remembering all of my different logins and passwords (I am the type of person that can’t keep the same username anywhere, I don’t know why but it’s definately an annoying trait), but I went ahead and installed the Password Hasher extension for Firefox on all of my computers. That way it just boils down to remembering what your hash password is and it generates your password successfully for each site based upon it’s tag and encryption settings.

Now logging into websites and services online is a lot less of a headache. I would really be hesitant to throw all of my logins on the net and just trust that they’re in good hands.

By: Peter

Peter — Thu, 01 May 2008 01:25:06 +0000

Yes, but if one is broken into only that account is compromised. If my OpenID provider’s servers are hacked, then ALL my OpenID accounts are compromised.

By: Keeping Safe on the Web: 8 Firefox Addons for Privacy and Security | MakeUseOf.com

Wed, 30 Apr 2008 20:47:16 +0000

[...] my previous post on OpenID and why I think it is a good idea to have [...]

By: Justin Shattuck

Justin Shattuck — Thu, 24 Apr 2008 19:15:31 +0000

Scott I beat you! And I dont even work for Vidoop, brahahah! However, I know Koes and Clay (the owners son) hehe so I plug ya guys when I can.. Not to mention; holy crappers it’s a great service!

By: Fred

Fred — Thu, 24 Apr 2008 12:37:36 +0000

Dave -

Thanks for explaining - I definitely understand where you’re coming from, and I agree. Again, thanks for including us - I appreciate it!

_Fred

By: Terrell Russell

Terrell Russell — Wed, 23 Apr 2008 05:05:52 +0000

Thanks Dave (and Scott),

We *are* planning to deploy the ImageShield and it *will* improve the security of our already-industry-standard SSL logins.

More here:
http://blog.claimid.com/2008/04/claimid-enhances-security-with-confident-technologies-recognitionauth/

Terrell

By: Mackenzie

Mackenzie — Tue, 22 Apr 2008 20:42:27 +0000

Well, at least this way there’s just one server holding your user/pass. The usual method involves keeping your user/pass stored on many servers. If any of them are broken into, your stuff’s gone. At least your info’s in less places.

By: Scott Kveton

Scott Kveton — Tue, 22 Apr 2008 17:17:42 +0000

I’m going to shamelessly plug our OpenID provider myVidoop.com as a secure option. We use a unique way of logging in that leverages the ability of users to recall better than can remember. This, combined with a second factor activation of your browser via email, SMS or voice give users the ability to have corporate grade authentication without the hassle of carrying tokens or having to remember long, obscure passwords.

It should be noted that claimID is also going to be deploying the ImageShield as an optional way of authenticating as well:

http://www.earthtimes.org/articles/show/confident-technologies-secures-leading-openid-providers,359949.shtml

By: Peter

Peter — Tue, 22 Apr 2008 16:42:49 +0000

I guess part of it depends on what type of attack you think is going to happen. If someone gets into the database for my bank, then having the same password for my eBay account might not be a problem since the attack was targeting the bank. If someone is targeting ME in particular and learns my bank password, then having the same password for all my other accounts suddenly is a really big problem.

I use your second option. I have a KeePass file with different randomly generated passwords for all my accounts. The password to open the file is relatively insecure, but the file itself is always under my control. There are some passwords that are extremely complex and I don’t even know what they are. I just copy and paste them from KeePass. Granted, I need to have access to the KeePass file to logon to those accounts, but I am willing to make that tradeoff.

OpenID might be acceptable for low-value accounts like blog comments and such, but I can’t see it becoming accepted for high value accounts unless it is used as part of a two-factor authentication system (like the Verisign system).

By: Justin Shattuck

Justin Shattuck — Tue, 22 Apr 2008 14:20:10 +0000

Don’t forget about a MyVidoop and Vidoop. They have some killer stuff going on in relation to OpenID.

By: Dave

Dave — Tue, 22 Apr 2008 13:43:45 +0000

I totally agree. But there is a (growing) problem with the multitudes of logins/passwords that a single person is required to remember on the internet today.

Sure, in a perfect world - a user has different passwords for every site that they use.

But how is this possible? Right now, if you use a secure, randomized, lengthy password, the only way to do this is to a) write it on a piece of paper (BAD!) b) store it in an encrypted file (which requires a password to open up). These are really the only two options.

I would rather see a single sign on which has an ultra-secure logon (That is why I use Verisign’s PIP with two-factor authentication) than someone who uses the same username/password, which is usually guessable for a typical user.

Then the security is down to your OpenID provider. This “trust” and security issue is something that has yet to be addressed, in my opinion.

Some security luminaries believe that the totally compartmentalized nature of current username/password schemes is enough to keep the general security of the internet without a single point of failure. I don’t believe that it has really been proven at this point, specifically for the typical internet user who uses the same password for everything.

Please let me know your thoughts or if you think this is totally off base.