jqp: (Default)
Joe Q Penguin ([personal profile] jqp) wrote in [site community profile] dw_suggestions2009-08-03 07:36 am
  • Add Memory
  • Share This Entry
Entry tags:

Login to paid account with OpenID

Title:
Login to paid account with OpenID

Area:
Login

Summary:
I would like to use an OpenID URL and password to log in to my Dreamwidth paid account.

Description:
I have a paid Dreamwidth account. I also have an OpenID URL. I would like to use my OpenID URL and password to log in to my paid Dreamwidth account.

This would allow me to use my OpenID for its (as I understand it) intended purpose: de-cluttering my mind of username/password combinations.

Poll #927 Login to paid account with OpenID
Open to: Registered Users, detailed results viewable to: All, participants: 39

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
4 (10.3%)

Should be implemented with changes.
1 (2.6%)

Shouldn't be implemented.
29 (74.4%)

(I have no opinion)
5 (12.8%)

(Other: please comment)
0 (0.0%)

Flat | Top-Level Comments Only
cesy: "Cesy" - An old-fashioned quill and ink (Default)

[personal profile] cesy 2009-08-04 08:45 am (UTC)(link)
As I understood it, OpenID's purpose was to enable consistent identities and verified identity-checks across sites, rather than necessarily to reduce username/password combinations. An OpenID account is not the same thing as a full Dreamwidth account, and shouldn't be. The plan to link them is great, but allowing you to log in to your Dreamwidth account from any OpenID you set up has big security implications.
yvi: Kaylee half-smiling, looking very pretty (Default)

[personal profile] yvi 2009-08-04 08:59 am (UTC)(link)
My reason for no: Security concern. Sites issuing OpenID verification have all kinds of security features and I don't want parts of Dreamwidth's security to depend on what other sites do.

This would allow me to use my OpenID for its (as I understand it) intended purpose: de-cluttering my mind of username/password combinations.

Well, that's not its purpose :) As [personal profile] cesy said, it was designed for cross-site authentication. Quite frankly, using the same very secure password is a better way to handle that problem. Even if it's also not ideal, at least it won't introduce a site-wide security risk.

[personal profile] jqp 2009-08-04 02:19 pm (UTC)(link)
Well, that's not its purpose :)

Thanks for the clarifications, but it is certainly being marketed (http://openid.net, http://www.myopenid.com) and used that way (http://sourceforge.net, http://pragprog.com).

I also don't see why it would be a site-wide security risk. Not every user will want to login with an openID, and not every user who does will use the same openID provider. So if a provider gets compromised some number of users' passwords may be compromised, but if they're strong enough passwords they should still be safe. How is this different from the normal day-to-day worries about users having weak passwords?
yvi: Kaylee half-smiling, looking very pretty (Default)

[personal profile] yvi 2009-08-04 02:50 pm (UTC)(link)
So if a provider gets compromised some number of users' passwords may be compromised, but if they're strong enough passwords they should still be safe.

What do you mean with 'if they're strong enough passwords they should still be safe'? If an account providing OpenID is hacked by using a security hole in someone's website - and that doesn't mean getting the plain text of the password - they could then easily access that user's Dreamwidth account by saying 'yes, allow access' on the Dreamwidth OpenID login page. That has nothing to do with how strong or weak a password is and everything to do with how other services store passwords or handle security.

Sites actually very rarely store the plain text passwords these days, which is a good thing.

Not every user will want to login with an openID, and not every user who does will use the same openID provider.

Yes, but i don't want Dreamwidth to even open that can of worms. Ultimately, if this leads to an account being hacked in some way and data being lost, people will blame Dreamwidth for introducing this risk. I'd rather take people having to remember one more password.

How is this different from the normal day-to-day worries about users having weak passwords?

Dreamwidth places limitations on how often a user can try to log in in a given timeframe before blocking the IP for a while, which basically prevents brute-force password cracking. Dreamwidth cannot guarantee the same for providers of OpenID accounts.

Thanks for the clarifications, but it is certainly being marketed (http://openid.net, http://www.myopenid.com) and used that way (http://sourceforge.net, http://pragprog.com).

I stand corrected then, though it does sound like a lot of marketing stuff to me. I wouldn't even want to have only one password with one sign-in authentication for everything because that means that if this one means of authentication gets compromised, I'm out of luck. Anyway, I had no idea that Sourceforge allows you to do that, but OpenID certainly started out from what I know as a means of commenting on blog posts while being associated with your blog. Which you can 100% do on Dreamwidth.

Still, other sites doing it doesn't mean Dreamwidth has to ;)

Basically, my opinion comes down to the fact that I have no idea whether being an OpenID provider means that you have to adhere to certain security standards, but it doesn't seem to be the case: https://www.myopenid.com/new_domain

(Anonymous) 2009-08-04 09:31 am (UTC)(link)
Um,no, that's NOT the intended purpose of OpenID, as the previous commenters have noted. And this would be a security nightmare! No thanks.
kyrielle: painterly drawing of a white woman with large dark-blue-framed glasses, hazel eyes, brown hair, and a suspicious lack of blemishes (Default)

[personal profile] kyrielle 2009-08-04 05:01 pm (UTC)(link)
Tying an openid to my acct was planned, as I understand it, to let me "claim" comments made by that openid. I want to do that but I do not want someone to be able to log in to my account via openid if another site got hacked. If this is done, it should be two separate lists - openids whose comments I claim vs. those I authorize to log in.
ciaan: revolution (Default)

[personal profile] ciaan 2009-08-04 06:18 pm (UTC)(link)
Yes, I think the planned implementation was for the DW account to "own" the openIDs, rather than the other way around. While a part of me thinks yes, it makes sense to be able to get into the DW account via the openID, I can also definitely see the security flaws in that. Hmmm.
mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)

[staff profile] mark 2009-10-28 06:15 pm (UTC)(link)
I just saw this suggestion. Sad, because I actually really like it...
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2009-10-28 06:19 pm (UTC)(link)
There's bug 188!
Flat | Top-Level Comments Only