Effects of OpenID or similar standards

Jerry Leichter leichter at lrw.com
Sun Nov 8 21:17:28 EST 2009

On Nov 6, 2009, at 4:19 PM, Erwan Legrand wrote:

> On Tue, Nov 3, 2009 at 9:41 PM, David-Sarah Hopwood
> <david-sarah at jacaranda.org> wrote:
>> Jerry is absolutely correct that the practical result will be that  
>> most
>> users of OpenID will become more vulnerable to compromise of a single
>> password.
> Do you really believe most people use different passwords for  
> different sites?
> Let's face it: most people use the same password for every single Web
> site they connect to. Starting from here, I can't see OpenID becoming
> much of a problem.
While I'm sure this is widely believed, I wonder if it's really true.   
Is anyone aware of research on the subject?

Even if it's true to a large degree, the details may matter.  People  
may routinely use the same password for all their "low value"  
accounts, but come up with something better for their bank or other  
"high value" accounts.  Paradoxically, the *lack* of a standard for  
password quality may help here.  High-value sites often place some  
requirement on the nature of passwords, but the requirements vary:   
Letters and digits only; letters plus digits plus at least one  
"special" character - with the set of allowed "special" characters  
varying in pretty arbitrary ways; etc.  It's tough to come up with a  
single password that will be broadly accepted at such sites, and  
anything someone does come up with will be so inconvenient that it's  
unlikely to be something they'll want to use at low-value, any- 
password-accepted, sites.

A widely-used single sign on system is certainly great from a  
usability point of view, and does actually have some positive effects  
on security:  You no longer need to hand your actual password to sites  
programmed by someone whose background in security is minimal.  The  
downside is that you now have a single super-high-value password, the  
compromise of which would be very painful.

                                                         -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list