Slashdot Mirror
MySpace Joins OpenID Coalition
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
But then how can I have multiple accounts for sock puppetry?
OMG!!
"Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?
"now if only Microsoft would support it"
I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.
Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.
Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use
No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.
Jesus fucking Christ, is proof-reading really that hard?
Spelling mistakes, grammatical errors, and stupid comments are intentional.
A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.
Colin Dean Go a year without DRM
"Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use"
The article doesn't mention Facebook. Is the poster sneaking in a snide remark about the similarities between the two sites?
There's no -1 for "I don't get it."
losing just one password or openid databases getting hacked will mean loss of all services related to it, even if they have other login systems.
Read radical news here
That should read "MySpace's 100 million users" not Facebooks.
Facebook is vastly smaller than Myspace, and isn't the point of the story.
I live in constant fear of the Coming of the Red Spiders.
Sounds scary, I like having different identities for various sites. I am sure if people tried hard enough they could figure out my other aliases, but it wouldn't be easy.
So now the big question for me. Can you create this single sign on account as an anonymous account? It would make things nice, but, I'd still not want to be identified in meatspace with this id....kind of like most accounts I have on the internet.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons.
Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.
With any luck some banks and credit cards will adopt this. So now you can have everything stolen from you with a single username/password combination that was probably lifted from you through a fake website or one of the dozens of account stealing malware bits that you installed to get "OMG Ponies Wallpaper & Pointers!". For bonus points, being able to pull a drive by install of malware to steal this account from a MySpace banner and then using that to steal all of their money, email addresses, and social webpages would be great. Bonus points if you manage to auction off all of their personal possesions through their ebay account and then keep the money through their paypal account.
The only change I can believe in is what I find in my couch cushions.
I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.
I refused to sign up for MS Passport, and I refuse to sign up for OpenID. I don't WANT my logins shared across multiple websites. There are some websites/services I just plain old don't trust with some or all elements of my real information. And if only ONE of those websites is compromised, my login is now compromised across the board, and I can have impersonators using my login with websites/services I've never had any involvement or perhaps even knowledge of.
I've been thinking of nuking my Myspace account for some time, as I don't actually USE it for anything, sounds like this might be a good time to go ahead with that.
Who cares about a unified username/password "experience". A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?
I thought they would learn from that experience when you could have a set of car keys from a Ford in the UK (in the 1970's IIRC), and it would open all the other Ford cars. At least that's how my parents car was stolen. Now do the equivalent with an online profile.. madness.
Take Nobody's Word For It.
Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.
Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.
The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.
Most people seem to user the same user+pass everywhere anyway, and if you had one password compromised on a keylogger or public terminal you probably had them ALL compromised.
So maybe it's still an improvement, but it should be considered as a very serious concern.
Great...have one ID for everything, then they'll just have to steal it once.
Although, most idiots today use the same username and password for everything anyway.
This whole idea is the stupidest security idea I've heard in a while, and I hear stupid ones every day.
Why would I trust MySpace with my AOL login? Once there's several other people to blame, any one of whom could have used or leaked my password, what's stopping unethical people at MySpace from using my "MySpace" login to get into my AOL login, and make our clueless police/FBI figure out which of the many possible perpetrators was the real perp?
I don't use the same PIN for all of my banks. Then one of the banks, or some unethical employee, could rob my other bank's account.
The whole point of a password is to keep everyone except you and the specific challenging party from accessing your account with that party. Good security doesn't even let the other party know your cleartext password, or access your account with them without it. But I don't see how OpenID will do anything like that.
Why not just open an account with my service. We'll let you register all of your passwords, for websites and your banks, to login to us. Then, you can use any password you happen to remember. And then, I'll go and use all of those passwords to rob you blind.
--
make install -not war
I can see this now, people rushing to register OpenID unique usernames. Currently, with these 100million accounts, the same username could be used by 4 different people across 4 different sites. Now we'll have people squatting to reserve usernames which are unique across all four sites.
We'll end up with the same problem we have now with domainnames, grandma will have to register with grandma_alkjs because grandma_mimi will cost her $100 to get from a squatter.
Developments like this are pretty shocking, especially when you see that the same people proclaiming this as a glorious triumph are the same people who attack Microsoft Windows for creating some kind of magical "operating system monoculture" (let us, as usual, purposely ignore the fact that client/server computing negates that).
IMO, this kind of authentication monoculture is more dangerous than just about anything else I've heard. If someone hacks my email (for example), they don't get carte blanche to either open accounts elsewhere or check all my other accounts. But OpenID will change all that.
So people don't care that it's insecure... just so long as it's an open and standards-based lack of security.
...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.
Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.
Even if you don't have your real name anywhere: you're still leaving a waaaay longer trail on the 'net than you're doing with a purpose-limited account. Anyone with a clue (and a sane cookie system, like Google) will sooner or later relate pretty much everything you do on the 'net to exactly *your* person. If you're really careful, then you *might* be able to keep those two words making up your name out of the game. But that's about the *only* thing that's not going to be known about your person...
Either that, or you'll keep creating 2, 3, or even more OpenID accounts -- one for each level of "privacy" you wish to enjoy. But then again, the need of having several OpenID accounts kinda kills the point of centralizing account management...
Privacy is not a matter of the information itself, it's a matter of how information is linked together (and/or to your person :-)
All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.
With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.
> Is having 1 global ID really wise?
Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.
I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.
For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.
Web users today are much more phishing-savvy and rely on password safe applications to manage their accounts. This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.
Whenever OpenId comes up there's always a million comments about handing over passwords and that all it takes is one site you're registered with to be compromised for your identity to be lost. This is not the case as OpenId does not share your actual login information with the third party at all. All the authentication happens at your provider. I fail to see how people consistently overlook this vital piece of information. If you're provider is compromised on the other hand... you're pretty much in the same place as somebody compromising your mailbox. And there's a worrying trend of people just handing that information out anyway.
Pot, Kettle, etc. When will slashdot support it? There are plenty of OpenID libraries, so CmdrTaco won't have to stop editing to work on it full time.
Do you even lift?
These aren't the 'roids you're looking for.
single point of failure!!
I'm glad I got rid of MySpace about a year and a half ago. I never really do anything with my blogger account, and i'll probably buy my own domain again to get away from gmail.
To paraphrase Ian Malcolm, what they call progress, I call the rape of the digital world.
I don't see how this will work on myspace with only ten characters for a password.
This whole openID thing sounds like centralization of passwords and private information, and behind the scenes the linking of user X, Y, Z from site A, B, C.
Roll the damn thing out if you must, but make it clear somewhere EARLY that it's linked to other accounts. It might be better to not register.
But then you all know I had to comment on this with a cool handle like myspace-cn before the Chinese firewall comes after me to put me to death for all my hard core death/black metal myspace accounts.
My company recently made attempted to implement an OpenID login option for our website. We quickly abandoned the idea because it was simply a horrible user experience. For those of you who are unaware of how openid works here are the steps to sign in with openid: 1) First you have to enter a URL which is your openid login. For example, if yahoo is your openid provider, you would enter http://openid.yahoo.com/cortesoft. Right off the bat, you already have to enter a ridiculously long user id. 2) Once you enter the URL, that is passed on to the openid provider. Using the yahoo example, you then have to sign in to yahoo if you aren't already signed in on this computer to prove you are the owner of that openid URL. 3) You are then asked to check a box giving the requesting site permission to use this openid. In yahoo's case it also requires entering a CAPTCHA. This is to ensure that the requesting site isn't merely nefariously requesting an OpenID without the user's permission. 4) Yahoo authenticates to the requesting site that you are logged in, and you are finally signed on. Of course, it is slightly easier on subsequent visits. The authorization process is shorter, but you still have to sign in to your openID provider and enter a URL. Just look at how simple the alternative is: A user simply enters a username and password and BAM they have a new account. They can even choose the same one as they used on other sites if they want the same username and login across multiple sites. Users bounce at any sign of difficulty in the signup process. OpenID is a huge barrier to entry, so we scrapped the id of using it.
The thing is, most people don't have different usernames and passwords for each site. A ton of people use the same password for MySpace, Gmail, Amazon, work, school, their bank, etc. At least with OpenID most of these sites would not get to see your password.
It could be a single point of failure, but maybe that's not a bad thing when talking about protecting secrets like passwords?
GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.
You do NOT give OpenID all your passwords and logins.
It's not turning all those accounts over to a third-party and them giving you a single login and password.
It's using ONE account at MANY other sites in a limited form.
Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.
This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.
THAT'S IT.
I RFTS. I RTFA. I even went to the OpenID website to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.
Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.
I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)
How about using a tiered OpenID system Where you can have multiple levels of accounts?
Right now I use one set of username/pwds for my banking and sensitive accounts. I'm very careful about what machines I use this info on and who I give it to. A second username/pwd pair for stuff like ./, gmail, last.fm etc... which I use for sites that I frequent and would rather not have someone else access using my name. Finally a third for smaller forums and stuff that I could really care less about.
I would like to be able to tie them together in a way that let me use a higher-tier account to reset the pwd of the lower tier accounts but not vice-versa or across a tier.
It's still an "all your eggs in one basket" approach, but it's a slightly more secure basket.
"drink deeply the illusion of your safety"
What most governments and other "big brother" ideas confuse (willingly or not) is PHYSICAL and ELECTRONIC identity (or, if you prefer, a "representation" of you like your account number, credit card number, SSN (US), NHS (UK), SOFI (NL) etc, which is also why it is taking so long to get a digital signature into law (Spain's done it, and IMHO the system is only just about OK) - most laws start from the physical person.
Taking someone's physical identity is not that easy (sampling DNA and prints still requires physical presence which represents both risk and a lack of scalability) and not as profitable as cloning an electronic identity. The "items" that make you "you" (biometrics, knowledge et al) should stay with you so they have to be presented every time any of your electronic identities is used. This is what I like about OpenID - YOU control what accompanies every logon, and you can define multiple identities to make it easier. Most authentication mechanisms are only concerned with assuring that the person who undersigned the contract (i.e. at a bank) is the same person that gains access and authorises transactions, it really doesn't go further than that.
So, ONE person, MULTIPLE identities (which should be kept separate, so breaking one doesn't expose your entire life), and associated with each of those identities are again multiple rights and obligations (with a weird bend where a company is defined as one logical identity on which behalf a number of identities can acquire and exercise rights, but I digress).
However, instead of having one token for each bank account, government access, travel card and OpenID access you can now get it all in this gadget..
For a Web world, compartmentalisation of sign-on is vital.
Only up to a point.
I have 128 logins that I keep. I know that because don't remember any of them, I have a file full of them. When I use Yet Another Website, I'm really tired of making Yet Another Login.
If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.
If you think that using openId from Site A to log into site B gives site B ways to continue having dealing with you against your wishes, then can you outline how that can happen? How many internbet users have "e-mail aliases" to throw away.
This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.
I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?
My Karma: ran over your Dogma
StrawberryFrog
Ok geniuses, what the heck are you gonna do when you start putting the Username/Password databases together and a million identical names belonging to different people collide? I think they'll need to create a separate database for OpenID that doesn't touch the databases that already exist.
McCain/Palin '08. Now THAT's hope and change!
With all the talk of running one's own OpenID provider, why not run it on your own machine behind a DynDNS or similar provider and use PAM to authenticate against /etc/shadow?
ROMANES EUNT DOMUS
Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.
Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
Microsoft shipped support for OpenID 2.0 last year. Google search: http://www.google.com/search?q=microsoft+openid&rls=com.microsoft:*&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
/LabMonkey09
Now I only have one username and password to hack and your world is mine
thank God the internet isn't a human right.
one ID to crack to get your CC/BANK info and go on a shopping spree!!!!!
If they broken Kerberos so badly, why the hell can I right my KRB5 install on Centos to point to my AD realm and have it work without any arcane settings or magic?
MS did not break Kerberos. Period. Ever. Now go away and blow your iBook.
Trying to become famous by taking photos. Visit my homepage please.
Beware, gullible sheep, Big Brother wants to track all your web activities using a single "Open" ID, starting with personal data-mining sites like MySpace and Facebook. Isn't there enough tracking from ISPs, search engines, and large websites already?
This tracking is great for big brother, but sucks for the little man, who would prefer the anonymity of dynamic IP address, and multiple, fake online personas. This OpenID idea is stupid in concept, unless there is a malicious intent to spy on everyone.
> I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?
I looked-over the list on openiddirectory.com; 634 participating sites. That's greater than zero, admittedly. Just about.
The story of SSO in e-commerce is brief and inglorious. ebay dropped Passport support in January 2005; Amazon never got onboard; Google established its own intra-domain federation; Yahoo announced OpenID support, then fell silent. Those are the sites that people use.
SSO has flopped on the web, thankfully.
Passport flopped because no one wanted Microsoft to have data on every single point of your life. That was what passport was: Everyone had to authenticate with Microsoft, Mircosoft stored all information, Microsoft choose who got what information.
OpenID is fully decentralized, *you* choose whom to give what information, every site uses its own passwords and as above story shows, that it's far from dead.
Arrgh, that should read: only your OpenID provider has your password and it's never shared with anyone.
Sorry about that complete fuckup
This sounds like an absolutely terrible idea. How many times have we told users that it's best not to use the same password for every account? OpenID sounds like an enabler of stupidity and a huge security risk.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
If I have an email or blog, can I move to OpenID login and keep my username, or do I have to make a whole new identity?
According to this article, Microsoft claims 400 Million Passport/Windows Live users worldwide. How is it that OpenID is becoming the defacto standard again?
One thing that really needs to happen is for forums to accept OpenID. Given that there a small number of software packages seem to run the majority of forums out there, it seems like this sort of change could happen quickly... but to my knowledge, hasn't so far.
I thought everyone stopped using Myspace when Rupert Murdoch took it over. Myspace belongs in a category with Compuserve, Prodigy, America Online, Friendster, gopher, Netscape, Alta Vista, Napster, and other relics of Internet past.
People always complain about internet hackers and cyberstalking, and cyberbullying, but Myspace was invented to assist the stalkers, bullies and hackers.
OpenID makes life even easier for hackers by centalizing the sensitive information even further. Now when you want to find your blackmail material, you can just search one ID and find all of it.
So now the big question for me. Can you create this single sign on account as an anonymous account? It would make things nice, but, I'd still not want to be identified in meatspace with this id....kind of like most accounts I have on the internet.
We need all need to make it easier for cyberstalkers, hackers, and bullies.
Anonymous accounts would make life far too difficult for the gangs of hackers, organized cyber stalking groups, and cyber bullies.
By forcing you to connect your real name to your Myspace profile, we can store all of the blackmail information in one database, all your sexual preferences, all your political and religious opinions, any anything else on Myspace can be used against you later on when sold to your boss, your potential employers, your enemies, your girlfriend.
Sexual blackmail is the new game, and it only works when you ARENT anonymous!
If you control your own OpenID provider and have control over the information that is sent, I'm guessing you could also set it up to sent information on various aliases that you have set up, right? If I understand this right, the only thing the other site can verify is that you are the same identity that logged in last time, but what your personal information really is, they won't know. But this will also mean that certain sites will never accept your own provider, they want something "secure" which they can trust. This will make it very difficult/useless to run your own provider, won't it? Too bad really.
Is having 1 global ID really wise? It sounds like a single point of failure to me.
Most people have a single e-mail address, and all the web accounts they have are registered with that address. If someone gets a hold your e-mail address account then they could send password reminders for every web account you have.
Of course you use a different username and password for every web and forum account you have.
Right?
Ah yes, another universal sign-in ID. They've had those for at least a decade now, and they've been moderately more successful than internet money accounts.
Just the other day I had to sign up for a "universal" "Ning" ID - to sign into the one and only site I've ever heard of it used on. I've never been to an OpenID site.
Now if we hack OpenID we can get EVERYONES account to EVERY site.
OpenID makes life easier for hackers.
Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.
Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
Myspace was set up and invented to assist hackers, con-artists, and stalkers. All information about you, your friends, and your family members in one place for a team of hackers to analyze.
All the names and photos to assist the teams that want to stalk you, black mail you, or extort you.
You don't like it? Pay for protection, just like 1920s mafia. It's a racket. In this case the hackers run it, because you and others were dumb enough to make their job easier by going to their website and giving them all the information they'd ever need to blackmail you with none of the effort.
Sexual blackmail is much easier, extortion is much easier, stalking is much easier, bullying is much easier, and when someone makes a threat and they have your real name, your picture, all your friends names and pictures, and they know intimate details about you, you know they mean business.
Noobs, all your base are belongs to us.
I hope it flops- the last thing we need is universal logins for the internet. Imagine 5 years from now that to be a use larger site that requires a login, you must first register with xyz123company.com (for the cheap monthly $5 fee). Now you are free to use and be tracked wherever you go online. Thanks, but i'll just take the encrypted .txt file with my users and pass for the sites out there (especially when the govt decides to get involed, if they havnt already). Further, lets take this to an even further reality, what happens when the open ID adult comes out. Yey, unified pr0n logins.
All I'm saying... in such abstract way, is it sounds like a nasty information gathering scheme... dont like it.
The advantage is mine n*gger! Don't you see they are helping us hack f*ggot and n*gger accounts.
This plan has been in the works for years, don't try to ruin it!
4nd 70 4|| y0u dum8455 n0085, 17'5 1d1075 |1k3 y0u wh0 m4k3 0ur j085 34513r. |{33p dum81n6 7h3 1n73rn37 d0wn w17h |\/|y5p4(3 4nd F4(3800k. |{33p up 7h3 600d w0rk. \/\/17h y0ur h3|p w3 w1|| h4(k 4|| 7h3 n1663r5, f466075, 4nd 817(h35 0n p|4n37 34r7h.
Seeing the amount of spammers, script kiddies, and social engineering scams floating around MySpace - and the scalability of MySpace users, this is bad news. People can scam the kids who have MySpace accounts out of their passwords very easilyl, but having every password the same on all the sites you use...
This seems to be a double edged sword as many have said before me. I don't go on myspace, but the fact that they joined gives this some power in the market now. I'm hoping eventually this service will extend to just about all manner of social network sites because I'd really like it. However, sharing information on a site that has been hacked before like myspace can be pretty dangerous methinks. At least I know my information is safe for now...
Maybe a local app that stores all passwords and automatically logs you in would be a better solution, as long as your local security is good. Something like the firefox password bank, but more capabilities like working with apps, etc. If someone learns your OPENID then they have you hacked on every site. This would be very insecure, and I believe that having the same login for multiple sites was a no-no anyway. This kind of mainstreaming of breaking a security rule should not catch on, it is flawed and insecure by nature.
So now you really are fucked if someone gets your password.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Monoculture ... ?
own me once, own me everywhere
G
Right. (seriously)
Every Myspace user that logs in to Myspace sends their username and password in the clear.
It's been that way from the beginning, and the shiny new redesign didn't help.
Ironically, the URL it gets sent to is:
http://secure.myspace.com/index.cfm?fuseaction=login.process
Hey, there's a "secure" in the hostname, it must be okay!
So... When Myspace becomes an OpenID provider, will the OpenID authentication page be over plain HTTP too?
It's okay, it's not like most Myspace users log in to check their profile on every public computer they see.
OpenID seems neat, but isn't it wide open for phishing?
I go to 'evilwebsite.com', give it my openID, and it directs me to 'notmyopenidprovider.com', with a login page that looks real - I enter my credentials and it's all over? It's the bank game all over again, especially as I'm *expecting* that I might be redirected and asked for my password...
Or am I missing something?
- Chris
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird.
"This should help to make OpenID the de-facto login mechanism for the Internet"
Because Myspace is going to use it? Please...maybe it will become the de-facto login mechanism for kids with too much time on their hands and the emo crowd that loves to whine on their spammy Myspace page, but Myspace is hardly a driver as to what will be come a de-facto standard on the Internet.
echo "$master$site" | md5sum | head -c20
(where master is your master password and site is the name or url of the site you're registering for.)
There's your unique password and you only have to remember the master. A bit simpler than OpenID, no?
(maybe this simplistic scheme has some vulnerability, but you get the point)
Medium cat is MEDIUM.
That's an ok solution. The main issues I see are that you lose some amount of portability. You have to have md5sum and head wherever you want to log in. You may have to ssh somewhere to do it this way. And if there's a keylogger on the machine, the game is still over. Changing your master password and then changing all of the rest of your passwords will still be quite the pain.
I'd rank this solution above using the same password for everything, but below using single-sign on via OpenID.