So if a provider gets compromised some number of users' passwords may be compromised, but if they're strong enough passwords they should still be safe.
What do you mean with 'if they're strong enough passwords they should still be safe'? If an account providing OpenID is hacked by using a security hole in someone's website - and that doesn't mean getting the plain text of the password - they could then easily access that user's Dreamwidth account by saying 'yes, allow access' on the Dreamwidth OpenID login page. That has nothing to do with how strong or weak a password is and everything to do with how other services store passwords or handle security.
Sites actually very rarely store the plain text passwords these days, which is a good thing.
Not every user will want to login with an openID, and not every user who does will use the same openID provider.
Yes, but i don't want Dreamwidth to even open that can of worms. Ultimately, if this leads to an account being hacked in some way and data being lost, people will blame Dreamwidth for introducing this risk. I'd rather take people having to remember one more password.
How is this different from the normal day-to-day worries about users having weak passwords?
Dreamwidth places limitations on how often a user can try to log in in a given timeframe before blocking the IP for a while, which basically prevents brute-force password cracking. Dreamwidth cannot guarantee the same for providers of OpenID accounts.
I stand corrected then, though it does sound like a lot of marketing stuff to me. I wouldn't even want to have only one password with one sign-in authentication for everything because that means that if this one means of authentication gets compromised, I'm out of luck. Anyway, I had no idea that Sourceforge allows you to do that, but OpenID certainly started out from what I know as a means of commenting on blog posts while being associated with your blog. Which you can 100% do on Dreamwidth.
Still, other sites doing it doesn't mean Dreamwidth has to ;)
Basically, my opinion comes down to the fact that I have no idea whether being an OpenID provider means that you have to adhere to certain security standards, but it doesn't seem to be the case: https://www.myopenid.com/new_domain
no subject
What do you mean with 'if they're strong enough passwords they should still be safe'? If an account providing OpenID is hacked by using a security hole in someone's website - and that doesn't mean getting the plain text of the password - they could then easily access that user's Dreamwidth account by saying 'yes, allow access' on the Dreamwidth OpenID login page. That has nothing to do with how strong or weak a password is and everything to do with how other services store passwords or handle security.
Sites actually very rarely store the plain text passwords these days, which is a good thing.
Not every user will want to login with an openID, and not every user who does will use the same openID provider.
Yes, but i don't want Dreamwidth to even open that can of worms. Ultimately, if this leads to an account being hacked in some way and data being lost, people will blame Dreamwidth for introducing this risk. I'd rather take people having to remember one more password.
How is this different from the normal day-to-day worries about users having weak passwords?
Dreamwidth places limitations on how often a user can try to log in in a given timeframe before blocking the IP for a while, which basically prevents brute-force password cracking. Dreamwidth cannot guarantee the same for providers of OpenID accounts.
Thanks for the clarifications, but it is certainly being marketed (http://openid.net, http://www.myopenid.com) and used that way (http://sourceforge.net, http://pragprog.com).
I stand corrected then, though it does sound like a lot of marketing stuff to me. I wouldn't even want to have only one password with one sign-in authentication for everything because that means that if this one means of authentication gets compromised, I'm out of luck. Anyway, I had no idea that Sourceforge allows you to do that, but OpenID certainly started out from what I know as a means of commenting on blog posts while being associated with your blog. Which you can 100% do on Dreamwidth.
Still, other sites doing it doesn't mean Dreamwidth has to ;)
Basically, my opinion comes down to the fact that I have no idea whether being an OpenID provider means that you have to adhere to certain security standards, but it doesn't seem to be the case: https://www.myopenid.com/new_domain