The flip side of this argument is that by typing in a username & password on a zillion websites, your credentials are exposed when any of those websites are compromised.
Some people argue that you should use a unique username and password on each site. Those people live in a fantasy world populated with an entirely different species of human than the one I live in. The "average internet user" uses the same password for banking as they do for their porn viewing, and it will take maoist-style re-education camps to change that. Nothing stops you from creating separate moogle accounts for various services, so *your* security is not compromised in any way. But taking passwords out of the hands of crappy PHP forums around the world would be a big step in making the internet as a whole more secure. Also: Since all those services have "reset password" features associated with your email address, even having separate username/passwords for each doesn't really get you any additional security. It all comes down to securing the email address. BrowserID is rad because it's a more elegant way of handling this email address association. Jeff On Mon, Jan 2, 2012 at 12:31 PM, Brandon Wirtz <[email protected]> wrote: > I don't like Browser ID, OpenID, Oauth solutions because I can put a form on > a page that looks just like one, get your pass, and then look at which sites > you have cookies for and instantly know which sites I have your User/Pass > for. > > Unified login might be fine for protecting your Facebook... but SOME COMPANY > I won't say who but it rhymes with Moogle. Recently unified my logins so > where I used to have a Password for my Mail, a Password for my YouTube, a > Password for my Adsense, and a Password for Adwords. Today if you hack my > Plus account you could spend $100k on adwords against your website, making > me poorer, and you richer. > > Unified Login is for convenience not security. You might as well guard your > site with a note that says "do not hack me it isn't nice" > > -Brandon > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jeff Schnitzer > Sent: Monday, January 02, 2012 11:26 AM > To: [email protected] > Subject: Re: [google-appengine] Re: OT: Doing It Wrong > > On Mon, Jan 2, 2012 at 11:11 AM, Paul <[email protected]> wrote: >> While we are at it - what would you suggest to be a most efficient >> solution on App Engine? Is bcrypt too heavy? > > My advice is not to bother with all that crap. Use BrowserID anywhere you > would use a username/pw instead. > > I recently replaced the local username/pw part of my dual-auth system (FB > being the other) with BrowserID. The user experience is way better than any > other local auth system I've seen, including ours - which was pretty damn > nice. > > http://www.browserid.org/ > > Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- We are the 20% -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
