OpenID: Good idea gone bad
|
| Author | Content |
|---|---|
| gus3 Feb 21, 2008 7:57 AM EDT |
Putting all your authentication eggs in one basket is a really bad idea. The "principle of least privilege" dictates maintaining separate credentials for separate purposes/sites on the Internet. One cracked OpenID site could result in one's identity being abused over several other OpenID sites. |
| Scott_Ruecker Feb 21, 2008 9:28 AM EDT |
I wondered about that, so if my ID were compromised on one site, you could use to get into a bunch of others. No thanks. |
| tuxtom Feb 21, 2008 9:41 AM EDT |
I hear ya, but I see so many end users forget their passwords for different things it's pathetic. All mine are along the lines of "_@h534C54%!". Sometimes I forget myself, but ain't no one gonna brute force me and get into all my login accounts. Something like that is even difficult to socially engineer. |
| Scott_Ruecker Feb 21, 2008 9:52 AM EDT |
EXACTLY! Like you tuxtom my passwords are very robust, at least compared to what I see other people using. If you can crack my passwords, your the voice in my head. :-) |
| tuxtom Feb 21, 2008 9:56 AM EDT |
What's your dog's name again? |
| Scott_Ruecker Feb 21, 2008 9:58 AM EDT |
Or the one I see all the time and my personal favorite, password1 |
| NoDough Feb 21, 2008 10:13 AM EDT |
SR>> Or the one I see all the time and my personal favorite, password1 Heh. I was setting up one of my users the other day with OpenVPN for mobile network access. I asked her what she would like her password set to. She looked at me with nary a hint of a grin and said, "Password." |
| tuxchick Feb 21, 2008 10:28 AM EDT |
Wow, tough crowd. I foil crackers by changing the o in password to 0. See, good secuarity is easy. Except I lock myself out 'cause I forget and keep re-typing it with the o. |
| Scott_Ruecker Feb 21, 2008 10:35 AM EDT |
Like you Carla, I like to mix in numbers with my passwords. Its when I have to change or modify them that I start to lose track of which letters I replaced with numbers or if I switched them out at all or if I changed it completely... stupid passwords.. LOL!! |
| tuxtom Feb 21, 2008 11:06 AM EDT |
P@$$w0rD |
| Scott_Ruecker Feb 21, 2008 11:08 AM EDT |
Good password, can I keep that? LOL!! |
| tuxtom Feb 21, 2008 11:12 AM EDT |
Sure, Scott, sure....but only if you use it for root. Where do you work again? |
| Scott_Ruecker Feb 21, 2008 11:19 AM EDT |
He He, Nnnnnnnnnnnnnnnnot! |
| tracyanne Feb 21, 2008 12:14 PM EDT |
I prefer pass phrases, with mispelt words and letters replaced with number and non alpha chars in place of the spaces. Something along the lines of Th15+1s+Mi+Pa55W0rd, I keep them in a notebook, but many password fields don't allow long passwords, and in fact encourage very short passwords - Ubuntu, for example allows a max of 15 characters, and I notice that banks often encourage much shorter passwords. A graphic design house that we do the coding for allows their clients to use passwords like 'anna' and 'tom' etc, and inspite of our continual prompting they have done nothing about this. The really sad thing is at least one of the clients deals mainly with children. |
| Scott_Ruecker Feb 21, 2008 12:53 PM EDT |
That's what my passwords are like too tracyanne, play-on-words, funny phrases.. |
| tuxtom Feb 21, 2008 2:29 PM EDT |
Quoting:I keep them in a notebook That is a security no no. Someone can get a hold of your notebook. NEVER write a password down or email it if you want it to remain secure. Quoting:mispelt words and letters replaced with number and non alpha chars Quoting:play-on-words, funny phrases Mine, too. I also find adding a period or an exclamation point to the end of a word to be a pretty safe bet. If I were to do dictionary attacks I would do all the letter/number combos for "password" first. That would be the most fruitful. |
| jezuch Feb 21, 2008 2:50 PM EDT |
Quoting:NEVER write a password down or email it if you want it to remain secure. The all-mighty Bruce Schneier disagrees: http://www.schneier.com/blog/archives/2005/06/write_down_you... Well, maybe except this "email" part :) |
| Sander_Marechal Feb 21, 2008 2:53 PM EDT |
Quoting:If I were to do dictionary attacks I would do all the letter/number combos for "password" first. That would be the most fruitful. Nah. Try out all the letter/number combinations and replacements of their username. And try them all with one digit appended at the end. You won't believe how many times I've seen the username with the number 1 appended being used as the password. |
| tuxtom Feb 21, 2008 3:59 PM EDT |
Quoting:The all-mighty Bruce Schneier disagreesBruce ain't almighty root on my servers. |
| rf Feb 21, 2008 4:30 PM EDT |
@gus3: I'm not sure whether you're implying that with OpenID, if a "relying party" web site gets cracked, then the perpetrator can compromise your accounts on other web sites that are relying parties. My understanding is that this is not the case. On the other hand, if the perpetrator cracks your OpenID provider's web site (e.g. Yahoo! or AOL), then you'd probably be screwed. So you'll want to pick your provider wisely, and if you're really paranoid, there is no reason you can't be your own provider -- you'll just need to run an Internet-accessible web server (and some OpenID server-side software) on your home PC. The main concept with OpenID is that your ID is a URL, and authentication is tantamount to proving that you *own* the thing pointed to by that URL. This is only *really* true if the URL points to your own web site, but AOL and Yahoo! are usually reasonable stand-ins, if you trust them. I'm not an expert, but I do run a web site that uses OpenID for authenticating users. |
| tuxtom Feb 21, 2008 5:49 PM EDT |
Is OpenID really just LDAP with a consumer-friendly name? |
| gus3 Feb 21, 2008 8:49 PM EDT |
@rf:Quoting:On the other hand, if the perpetrator cracks your OpenID provider's web site (e.g. Yahoo! or AOL), then you'd probably be screwed.Precisely. One authentication set (identity, authentication, and authorization) per purpose, NOT EVER to be shared automatically. (Did I mention I used to work for a storage security company?) |
| gus3 Feb 21, 2008 10:30 PM EDT |
@tuxtom:Quoting:That is a security no no. Someone can get a hold of your notebook. NEVER write a password down or email it if you want it to remain secure.Almost. The password (and the privileges that go with it) are meaningless without the password's venue and matching identity. I can tell you that my password is "52pickup", but unless you know where that password applies, and to what username, how can you compromise my identity? The problem with OpenID is that the venue goes beyond a single site/purpose. Once the venue is centralized by the user, it presents a single point of attack. If that location is compromised, my identity becomes someone else's plaything. |
| NoDough Feb 22, 2008 6:11 AM EDT |
From the movie Spaceballs... HELMET: I knew it would work. All right, give to me. ROLAND: The combination is one. HELMET: One. SANDURZ: One. ROLAND: Two. HELMET: Two. SANDURZ: Two. ROLAND: Three. HELMET: Three. SANDURZ: Three ROLAND: Four. HELMET: Four. SANDURZ: Four. ROLAND: Five. HELMET: Five. SANDURZ: Five. HELMET: So the combination is one, two, three, four, five. That's the stupidest combination I've ever heard in my life. That's the kinda thing an idiot would have on his luggage. ... HELMET: We have the combination. SKROOB: Great. Now we can take every last breath fresh air from planet Druidia. What's the combination? SANDURZ: One, two, three, four, five. SKROOB: One, two, three, four, five? That's amazing. I've got the same combination on my luggage. |
| gus3 Feb 22, 2008 8:19 AM EDT |
NoDough: raising the term "hash collision" to a whole new level... |
| ColonelPanik Feb 23, 2008 12:49 PM EDT |
Y'll seem to lose site of the whole open concept. If you believe in open you won't use passwords. |
| rf Feb 25, 2008 10:50 AM EDT |
@gus3: Well, the authorization part is still up to the "relying party" web site. No-one's proposing that authorization be outsourced. And nothing with OpenID is automatic. When you log in to a relying-party web site, you are redirected back to your OpenID provider, and your OpenID provider says something like: "lxer.com is requesting to authenticate user 'rf'. Do you want us to authenticate you?" Followed by a check box saying "remember this decision." There is also no problem with a person having multiple OpenIDs. Indeed, many people probably do (or will): AOL/netscape.net, Yahoo!, and eventually Gmail, etc. Before Yahoo! directly supported OpenID, a site called idproxy.net implemented OpenID-Yahoo! integration and they supported aliases such that a given Yahoo! id would support multiple OpenIDs (e.g. one for each relying-party web site if you require that level of anonymity). Sounds like you'll want to run your own OpenID provider. That scenario is no less secure than a user using Firefox's "remember passwords" feature because in both cases, your computer is capable of authenticating you on your behalf, and you are vulnerable to having someone hack into your computer to hijack that capability (except that OpenID requires you to run a web server). |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!