Comments on: Got OpenID? http://www.cbc.ca/spark/2008/10/got-openid/ An ongoing conversation about technology and culture, hosted by Nora Young Thu, 16 Feb 2012 02:36:56 +0000 hourly 1 http://wordpress.org/?v= By: PHPDug Social Poster http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-5958 PHPDug Social Poster Wed, 03 Jun 2009 22:23:15 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-5958 PHPDug Social Poster enables you promoting unlimited number of domains on autopilot. Moreover, software not only bookmarks domains automatically, it also creates unlimited number of social accounts automatically! Domains and accounts are rotated randomly, so each your bookmark looks like posted by real person! Get ready for massive traffic - PHPDug Social Poster will start sending thousands of real visitors to your websites today! PHPDug Social Poster enables you promoting unlimited number of domains on autopilot. Moreover, software not only bookmarks domains automatically, it also creates unlimited number of social accounts automatically! Domains and accounts are rotated randomly, so each your bookmark looks like posted by real person! Get ready for massive traffic – PHPDug Social Poster will start sending thousands of real visitors to your websites today!

]]> By: Phillip Chee http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-3791 Phillip Chee Wed, 25 Feb 2009 19:51:59 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-3791 OpenID allows delegation. If you have an existing website you have control of, such as a blog, you can tie your OpenID to the URL of your blog. To make OpenID more secure, use it conjunction with a one-time password generator such as the YubiKey. In this scenario, even if someone were to use my OpenID they can't do anything with it unless they physically have my YubiKey. And even if they managed to swipe one of those 44-digit AES hex-encoded passwords it would be useless to them because they can only use it once. If they wanted to use the OpenID again they'd have to generate another OTP and they can't do that without that specific YubiKey. OpenID allows delegation. If you have an existing website you have control of, such as a blog, you can tie your OpenID to the URL of your blog. To make OpenID more secure, use it conjunction with a one-time password generator such as the YubiKey. In this scenario, even if someone were to use my OpenID they can't do anything with it unless they physically have my YubiKey. And even if they managed to swipe one of those 44-digit AES hex-encoded passwords it would be useless to them because they can only use it once. If they wanted to use the OpenID again they'd have to generate another OTP and they can't do that without that specific YubiKey.

]]> By: furicle http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2598 furicle Tue, 11 Nov 2008 19:12:44 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2598 Like everybody else, there are too many openid providers, and not enough openid consumers. I just updated our Mac user group site to accept them, but I'm still in a pretty small minority. I would like to point out a common fallacy going on here though. That old 'sticky note on the side of the monitor' thing isn't as bad as people make it out to be. Put it in your wallet instead and it's a better system in many ways than anything that you keep on your computer itself or through a third party. People have a billion years of evolution to help them keep track of physical items that are important to them, and they generally do a pretty good job at it, where as computer security is a lot younger field..... Like everybody else, there are too many openid providers, and not enough openid consumers. I just updated our Mac user group site to accept them, but I’m still in a pretty small minority.

I would like to point out a common fallacy going on here though. That old ‘sticky note on the side of the monitor’ thing isn’t as bad as people make it out to be. Put it in your wallet instead and it’s a better system in many ways than anything that you keep on your computer itself or through a third party. People have a billion years of evolution to help them keep track of physical items that are important to them, and they generally do a pretty good job at it, where as computer security is a lot younger field…..

]]> By: Think Green http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2597 Think Green Tue, 11 Nov 2008 02:47:49 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2597 While OpenId seems like a great idea, it all boils down to one password and a hackable database. I'll stick with "Roboform"...I've been using it for four years now without any issues, and it also fills in all of those pesky forms like the one for this comments section. While OpenId seems like a great idea, it all boils down to one password and a hackable database.

I’ll stick with “Roboform”…I’ve been using it for four years now without any issues, and it also fills in all of those pesky forms like the one for this comments section.

]]> By: Joel Carter http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2596 Joel Carter Mon, 10 Nov 2008 22:59:59 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2596 Like Glenn I also use a password manager running on a USB flash drive that is on my key chain. Pretty geeky but it allows me to forget all my passwords and use the program to copy 'n paste 'em. When I sign up a new account I generate a new random password. The entire password database is encrypted and requires a password to get into it, so if I lose my keys the database is useless - I can't say the same for my car though! Check KeePass out for free (GPL): <a href="http://keepass.info/" rel="nofollow">http://keepass.info/</a> There are OSX and Linux versions that are compatible with the database as well. Like Glenn I also use a password manager running on a USB flash drive that is on my key chain. Pretty geeky but it allows me to forget all my passwords and use the program to copy ‘n paste ‘em. When I sign up a new account I generate a new random password. The entire password database is encrypted and requires a password to get into it, so if I lose my keys the database is useless – I can’t say the same for my car though! Check KeePass out for free (GPL):

http://keepass.info/

There are OSX and Linux versions that are compatible with the database as well.

]]> By: Jeff http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2595 Jeff Mon, 10 Nov 2008 20:26:36 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2595 In this day and age, it's not being paranoid to be concerned that password managers could be hacked or could even be secretly sending your passwords, usernames, and other info to someone. How many of you who use a password manager and a firewall routinely authorized the firewall to allow the password manager to access the internet after installing it? Now that it can do so, do you know if it's ever sent any info anywhere? I don't care how much the companies that make password managers claim their product won't do that, there's still no guarantee it won't be hacked. Even a one in a million chance of that happening isn't too small when computers can query vast numbers of other computers in seconds. Memorize your most important passwords and write down the others in a way that someone finding the piece of paper won't know what it is. Passwords are for security, yet too many people put them at more risk than their systems would be without them. In this day and age, it’s not being paranoid to be concerned that password managers could be hacked or could even be secretly sending your passwords, usernames, and other info to someone.

How many of you who use a password manager and a firewall routinely authorized the firewall to allow the password manager to access the internet after installing it? Now that it can do so, do you know if it’s ever sent any info anywhere?

I don’t care how much the companies that make password managers claim their product won’t do that, there’s still no guarantee it won’t be hacked. Even a one in a million chance of that happening isn’t too small when computers can query vast numbers of other computers in seconds.

Memorize your most important passwords and write down the others in a way that someone finding the piece of paper won’t know what it is.

Passwords are for security, yet too many people put them at more risk than their systems would be without them.

]]> By: Walt Sullivan http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2594 Walt Sullivan Sun, 09 Nov 2008 00:01:23 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2594 I use a GPL Palm application, called STRIP (Secure Tool for Remembering Important Passowrds) <a href="http://www.identicentric.com/products/strip/index.html" rel="nofollow">http://www.identicentric.com/products/strip/index.html</a> to generate and remember my passwords. I currently have 274 different passwords. STRIP will generate passwords that contain Numeric, Alpha-Num or Alpha-Num w/Meta characters, 4-32 characters long, at the tap of a button. The pasword database is encrypted with 128-bit AES, and stays encrypted when I back my Palm up. STRIP has carried my passwords for over 8 years, and through 5 Palm Pilot replacements. I dislike the idea of OpenID - it's a Big, Juicy Target (once you can fake OpenID, you can fake anything). Walt I use a GPL Palm application, called STRIP (Secure Tool for Remembering Important Passowrds) http://www.identicentric.com/products/strip/index.html

to generate and remember my passwords. I currently have 274 different passwords. STRIP will generate passwords that contain Numeric, Alpha-Num or Alpha-Num w/Meta characters, 4-32 characters long, at the tap of a button. The pasword database is encrypted with 128-bit AES, and stays encrypted when I back my Palm up. STRIP has carried my passwords for over 8 years, and through 5 Palm Pilot replacements.

I dislike the idea of OpenID – it’s a Big, Juicy Target (once you can fake OpenID, you can fake anything).

Walt

]]> By: Bruce http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2593 Bruce Sat, 08 Nov 2008 02:48:45 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2593 I rely on old-fashioned technology, I write down all my pwds and names down in a notebook. I'm not involved in international espionage so I'm not worried about a break in. I don't like the idea of OpenID because if someone hacks it online, then all your password sites are in jeprody. I'll stick to the pen as back up. I won't even put the info on my computer. I rely on old-fashioned technology, I write down all my pwds and names down in a notebook. I’m not involved in international espionage so I’m not worried about a break in.

I don’t like the idea of OpenID because if someone hacks it online, then all your password sites are in jeprody. I’ll stick to the pen as back up. I won’t even put the info on my computer.

]]> By: Carl http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2592 Carl Thu, 06 Nov 2008 00:54:04 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2592 I don't see any reason to risk using an Internet based password manager such as OpenID. Why not use a password manager that runs on your own home computer. That way you never have to worry about phishing or other methods that may be used to steal your information. I use the password manager that is built into my computer "Keychain" (for my Mac). It works great for remembering all my passwords and my software registration information. Better still, I don't have to "trust" some unknown entity. There are many password managers out there to choose from. OpenID seems like a waste of time. I don’t see any reason to risk using an Internet based password manager such as OpenID. Why not use a password manager that runs on your own home computer. That way you never have to worry about phishing or other methods that may be used to steal your information. I use the password manager that is built into my computer “Keychain” (for my Mac). It works great for remembering all my passwords and my software registration information. Better still, I don’t have to “trust” some unknown entity. There are many password managers out there to choose from. OpenID seems like a waste of time.

]]> By: Delve http://www.cbc.ca/spark/2008/10/got-openid/comment-page-1/#comment-2591 Delve Thu, 06 Nov 2008 00:36:20 +0000 http://www.cbc.ca/spark/blog/2008/10/30/got-openid.html#comment-2591 I heard the OpenID piece today and I think it REALLY missed a huge point. Companies like google, hotmail et al. have varying EULAs that permit them to harvest some or all of the information you give them including gmail and its famous wholesale scanning of email content. These EULAs are obscene and people are blindly giving away a lot of their privacy for no real benefit. Do you really want to use an "openid" through a company that may through their EULA allow them to harvest all your information from sites you access? I heard the OpenID piece today and I think it REALLY missed a huge point. Companies like google, hotmail et al. have varying EULAs that permit them to harvest some or all of the information you give them including gmail and its famous wholesale scanning of email content.

These EULAs are obscene and people are blindly giving away a lot of their privacy for no real benefit.

Do you really want to use an “openid” through a company that may through their EULA allow them to harvest all your information from sites you access?

]]>