Thursday, June 07, 2012

The use case for #OpenID indicated by the #LinkedIn hack

LinkedIn was hacked; all the passwords in use a few days ago are no longer secret. The advice people get is to change their password everywhere where they use the same password.

This blog post is not about LinkedIn. It is about the lack of security provided by passwords as seen from a user point of view. Any organisation that thinks it can not happen to them is delusional. From a user point of view, any website that wants you to create a user with a password that is maintained on that website is a potential security risk. A risk you are exposed to because any site can be hacked and, you do not remember passwords that are unique to each website.

For a user, it is more secure to rely on one place where all the authentication to any website is done. The advantage becomes clear when a website is hacked; there is no password for you to abuse. When the authentication server is hacked, all that is required is to change the password at that central server.

LinkedIn was compromised and as a result many people with a Wikimedia account have an account that is compromised as well. Many of these people will not change their password because they cannot be bothered or because they are not aware of the risk.

As a consequence disruption by "trusted users" is a potential and realistic scenario. This risk can be mitigated by accepting the use of authentication through an OpenID service.
Thanks,
     GerardM

4 comments:

Lockal said...

When LinkedIn was hacked, I lost my password for a single site. But if LiveJournal or MyOpenID or any other openid provider would be hacked, I would potentially loose evetything. Who knows how they store my password? Nobody. IMO only 3 rules could prevent such leaks:

1) Opensource code, so everyone could control their password safety

2) BCrypt. BCrypt. BCrypt-BCrypt-BCrypt-BCrypt-BCrypt-BCrypt-BCrypt-BCrypt

3) See rule number 2

Anonymous said...

All I can say is take a look at this article: http://www.computerworld.com/s/article/9225589/Study_finds_major_flaws_in_single_sign_on_systems

Anonymous said...

Try this again:
http://www.computerworld.com/s/article/9225589/Study_finds_major_flaws_in_single_sign_on_systems

Gerard Meijssen said...

The question is not so much if there are potential issues with OpenID, the question is it an improvement on the existing situation..

In my opinion, the widespread practice of having a single password on a multitude of websites is a bigger worry.
Thanks,
Gerard