Full Disclosure mailing list archives
Re: OpenID. The future of authentication on the web?
From: "John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () gmail com>
Date: Mon, 24 Mar 2008 10:02:15 -0500
For the automated low-hanging fruit attacks, they won't crack. They're simply trawling for passwords and rarely do they even think to cross-check. For someone to spend the kind of thought and attention the victim has to be specifically targetted. Now, to be fair, I only advocate that strategy for "throwaway" accounts. For instance, I don't really care if my account on digg gets cracked, I do care if my bank account gets cracked. So I use the throwaway for digg (or other sites that just don't matter if they are compromised) and something secure and unique for the banks and other important stuff. The alternative is that someone uses the same password for EVERYTHING, crack some forum and you've got bank account passwords too. Long winded, but I'm not sure much OpenID would provide authentication for I'd care about (admittedly I haven't looked in detail). On Mon, Mar 24, 2008 at 9:58 AM, Larry Seltzer <Larry () larryseltzer com> wrote:
>>For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. I've never understood this strategy. Once I compromise your "S0m3p4ss!ama" password for amazon.com how long will it take me to figure out all your others? Larry Seltzer eWEEK.com Security Center Editor *http://security.eweek.com/* <http://security.eweek.com/> ** <http://blogs.pcmag.com/securitywatch/>* http://blogs.pcmag.com/securitywatch/<http://blogs.pcmag.com/securitywatch/Contributing> * Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenID. The future of authentication on the web?, (continued)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Pedro Hugo (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 24)
- Re: OpenID. The future of authentication on the web? Kurt Buff (Mar 23)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 24)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Gorn (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Gorn (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Valdis . Kletnieks (Mar 24)