jqp: (Default)
Joe Q Penguin ([personal profile] jqp) wrote in [site community profile] dw_suggestions2009-08-03 07:36 am
  • Add Memory
  • Share This Entry
Entry tags:

Login to paid account with OpenID

Title:
Login to paid account with OpenID

Area:
Login

Summary:
I would like to use an OpenID URL and password to log in to my Dreamwidth paid account.

Description:
I have a paid Dreamwidth account. I also have an OpenID URL. I would like to use my OpenID URL and password to log in to my paid Dreamwidth account.

This would allow me to use my OpenID for its (as I understand it) intended purpose: de-cluttering my mind of username/password combinations.

Poll #927 Login to paid account with OpenID
Open to: Registered Users, detailed results viewable to: All, participants: 39

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
4 (10.3%)

Should be implemented with changes.
1 (2.6%)

Shouldn't be implemented.
29 (74.4%)

(I have no opinion)
5 (12.8%)

(Other: please comment)
0 (0.0%)

Flat | Top-Level Comments Only
yvi: Kaylee half-smiling, looking very pretty (Default)

[personal profile] yvi 2009-08-04 08:59 am (UTC)(link)
My reason for no: Security concern. Sites issuing OpenID verification have all kinds of security features and I don't want parts of Dreamwidth's security to depend on what other sites do.

This would allow me to use my OpenID for its (as I understand it) intended purpose: de-cluttering my mind of username/password combinations.

Well, that's not its purpose :) As [personal profile] cesy said, it was designed for cross-site authentication. Quite frankly, using the same very secure password is a better way to handle that problem. Even if it's also not ideal, at least it won't introduce a site-wide security risk.

[personal profile] jqp 2009-08-04 02:19 pm (UTC)(link)
Well, that's not its purpose :)

Thanks for the clarifications, but it is certainly being marketed (http://openid.net, http://www.myopenid.com) and used that way (http://sourceforge.net, http://pragprog.com).

I also don't see why it would be a site-wide security risk. Not every user will want to login with an openID, and not every user who does will use the same openID provider. So if a provider gets compromised some number of users' passwords may be compromised, but if they're strong enough passwords they should still be safe. How is this different from the normal day-to-day worries about users having weak passwords?
yvi: Kaylee half-smiling, looking very pretty (Default)

[personal profile] yvi 2009-08-04 02:50 pm (UTC)(link)
So if a provider gets compromised some number of users' passwords may be compromised, but if they're strong enough passwords they should still be safe.

What do you mean with 'if they're strong enough passwords they should still be safe'? If an account providing OpenID is hacked by using a security hole in someone's website - and that doesn't mean getting the plain text of the password - they could then easily access that user's Dreamwidth account by saying 'yes, allow access' on the Dreamwidth OpenID login page. That has nothing to do with how strong or weak a password is and everything to do with how other services store passwords or handle security.

Sites actually very rarely store the plain text passwords these days, which is a good thing.

Not every user will want to login with an openID, and not every user who does will use the same openID provider.

Yes, but i don't want Dreamwidth to even open that can of worms. Ultimately, if this leads to an account being hacked in some way and data being lost, people will blame Dreamwidth for introducing this risk. I'd rather take people having to remember one more password.

How is this different from the normal day-to-day worries about users having weak passwords?

Dreamwidth places limitations on how often a user can try to log in in a given timeframe before blocking the IP for a while, which basically prevents brute-force password cracking. Dreamwidth cannot guarantee the same for providers of OpenID accounts.

Thanks for the clarifications, but it is certainly being marketed (http://openid.net, http://www.myopenid.com) and used that way (http://sourceforge.net, http://pragprog.com).

I stand corrected then, though it does sound like a lot of marketing stuff to me. I wouldn't even want to have only one password with one sign-in authentication for everything because that means that if this one means of authentication gets compromised, I'm out of luck. Anyway, I had no idea that Sourceforge allows you to do that, but OpenID certainly started out from what I know as a means of commenting on blog posts while being associated with your blog. Which you can 100% do on Dreamwidth.

Still, other sites doing it doesn't mean Dreamwidth has to ;)

Basically, my opinion comes down to the fact that I have no idea whether being an OpenID provider means that you have to adhere to certain security standards, but it doesn't seem to be the case: https://www.myopenid.com/new_domain
Flat | Top-Level Comments Only