You represent the 0.01% most sophisticated users on the internet. Even among technorati, this kind of behavior is rare. You won't be able to stop users from re-using the same password over and over, so your website is effectively as secure as the *least* secure website your users type that same password into. Handing off responsibility for authentication to a trusted third party is a dramatic improvement in security for 99.99% of internet users.
Jeff On Tue, Jan 3, 2012 at 1:07 AM, Brandon Wirtz <[email protected]> wrote: > I have unique passwords for every site. I use a common base but have a > system for the name of the site being in the pass. > > Base= MyPassW0rd > Google = MyPassGoogleW0rd > > I also have "throw away" and "Attached to Money" passwords. And Attached > to Money is even more complex. > > I self manage I don't use a password locker. > > I have had trouble when sites rebrand. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jeff Schnitzer > Sent: Monday, January 02, 2012 11:19 PM > To: [email protected] > Subject: Re: [google-appengine] Re: OT: Doing It Wrong > > The flip side of this argument is that by typing in a username & password on > a zillion websites, your credentials are exposed when any of those websites > are compromised. > > Some people argue that you should use a unique username and password on each > site. Those people live in a fantasy world populated with an entirely > different species of human than the one I live in. The "average internet > user" uses the same password for banking as they do for their porn viewing, > and it will take maoist-style re-education camps to change that. > > Nothing stops you from creating separate moogle accounts for various > services, so *your* security is not compromised in any way. But taking > passwords out of the hands of crappy PHP forums around the world would be a > big step in making the internet as a whole more secure. > > Also: Since all those services have "reset password" features associated > with your email address, even having separate username/passwords for each > doesn't really get you any additional security. It all comes down to > securing the email address. BrowserID is rad because it's a more elegant > way of handling this email address association. > > Jeff > > On Mon, Jan 2, 2012 at 12:31 PM, Brandon Wirtz <[email protected]> wrote: >> I don't like Browser ID, OpenID, Oauth solutions because I can put a >> form on a page that looks just like one, get your pass, and then look >> at which sites you have cookies for and instantly know which sites I >> have your User/Pass for. >> >> Unified login might be fine for protecting your Facebook... but SOME >> COMPANY I won't say who but it rhymes with Moogle. Recently unified >> my logins so where I used to have a Password for my Mail, a Password >> for my YouTube, a Password for my Adsense, and a Password for Adwords. >> Today if you hack my Plus account you could spend $100k on adwords >> against your website, making me poorer, and you richer. >> >> Unified Login is for convenience not security. You might as well >> guard your site with a note that says "do not hack me it isn't nice" >> >> -Brandon >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Jeff Schnitzer >> Sent: Monday, January 02, 2012 11:26 AM >> To: [email protected] >> Subject: Re: [google-appengine] Re: OT: Doing It Wrong >> >> On Mon, Jan 2, 2012 at 11:11 AM, Paul <[email protected]> wrote: >>> While we are at it - what would you suggest to be a most efficient >>> solution on App Engine? Is bcrypt too heavy? >> >> My advice is not to bother with all that crap. Use BrowserID anywhere >> you would use a username/pw instead. >> >> I recently replaced the local username/pw part of my dual-auth system >> (FB being the other) with BrowserID. The user experience is way >> better than any other local auth system I've seen, including ours - >> which was pretty damn nice. >> >> http://www.browserid.org/ >> >> Jeff >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> >> >> -- >> You received this message because you are subscribed to the Google Groups > "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to > [email protected]. >> For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. >> > > > > -- > We are the 20% > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- We are the 20% -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
