[145050] in cryptography@c2.net mail archive
Re: Effects of OpenID or similar standards
daemon@ATHENA.MIT.EDU (Erwan Legrand)
Mon Nov 9 20:04:53 2009
In-Reply-To: <FDED9230-1A18-4B1F-8152-A13DFD5239F3@lrw.com>
Date: Mon, 9 Nov 2009 13:51:40 +0100
From: Erwan Legrand <erwan.legrand@gmail.com>
To: Jerry Leichter <leichter@lrw.com>
Cc: cryptography@metzdowd.com
On Mon, Nov 9, 2009 at 3:17 AM, Jerry Leichter <leichter@lrw.com> wrote:
> On Nov 6, 2009, at 4:19 PM, Erwan Legrand wrote:
>> Let's face it: most people use the same password for every single Web
>> site they connect to. Starting from here, I can't see OpenID becoming
>> much of a problem.
>
> While I'm sure this is widely believed, I wonder if it's really true. =A0=
Is
> anyone aware of research on the subject?
Not exactly, although I sure there was some research done on the
number of passwords people had to remember nowadays and how many they
were able to remember.
> Even if it's true to a large degree, the details may matter. =A0People ma=
y
> routinely use the same password for all their "low value" accounts, but c=
ome
> up with something better for their bank or other "high value" accounts.
For what it's worth (i.e. not much), in my own experience people who
actually do this qualify as nerds.
> =A0Paradoxically, the *lack* of a standard for password quality may help =
here.
> =A0High-value sites often place some requirement on the nature of passwor=
ds,
> but the requirements vary: =A0Letters and digits only; letters plus digit=
s
> plus at least one "special" character - with the set of allowed "special"
> characters varying in pretty arbitrary ways; etc. =A0It's tough to come u=
p
> with a single password that will be broadly accepted at such sites, and
> anything someone does come up with will be so inconvenient that it's
> unlikely to be something they'll want to use at low-value,
> any-password-accepted, sites.
Select any five letters long dictionary word of your choice, append 0
or 1 and you have a password one can reuse for almost all her
accounts. I've seen real people do just that.
> A widely-used single sign on system is certainly great from a usability
> point of view, and does actually have some positive effects on security:
> =A0You no longer need to hand your actual password to sites programmed by
> someone whose background in security is minimal. =A0The downside is that =
you
> now have a single super-high-value password, the compromise of which woul=
d
> be very painful.
Agreed. This word, "usability", is the key here. I used to be very
sceptical (to say the least) with regard to "SSO" systems. Then about
everyone around gained access to the Internet and the World Wide Web.
Then about every new Web site out there started requiring users to
create accounts. The likes of OpenID have their use in today's world.
Looking to this problem from another perspective, I'm yet to see any
sensitive Web site (such as a banking site) relying on OpenID for
authentication. But I must admit I haven't looked for one. Yet perhaps
someone on this list knows better?
--=20
Erwan Legrand
Simplicity is prerequisite for reliability.
-- E. W. Dijkstra
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
