• No products in the cart.

Quicksilver + Quicksearches = Ultimate Power

securitylock

For those not familiar,
OpenID
is a system that allows you to sign in to multiple websites using one
identity. So, rather than have a different username and password for each
site, you would just sign into each one using your OpenID credentials. In
addition to the convenience this offers,
there’s a security benefit in that the websites you use OpenID with don’t
ever see the password you entered to gain access to their site
.

This works by delegating the authentication out to the OpenID provider.
Essentially, OpenID-enabled websites trust OpenID providers, so when
you go to a given OpenID website it redirects you to your provider, where
you log in with your OpenID credentials. You are then seamlessly redirected
back to the site, and your provider tells the site in the background, “This
person is good to go…”

So at that point you’re authenticated to the site without it ever having
seen your password, and you didn’t have to click around to multiple sites:
it all happened with a single login. This is stellar, but there’s a
downside.

The ‘Eggs and Baskets’ Counterargument

While the scenario above keeps websites from getting your OpenID password
during legitimate website logins, many have raised a valid question:

Without question, the answer is yes. But that doesn’t mean necessarily that
consolidating on an OpenID identity is less secure; the risk assessment is
more complex than that. And that’s where the discussion gets interesting.

Tradeoffs

So, we’ve established that OpenID keeps indvidual websites from having
access to your passwords. We know that is good, so we’ll mark that as a
positive. We also know that putting all one’s security eggs in one password
basket increases the impact of a password compromise–so that’s a negative.

We can also add the following assumptions pretty safely:

  1. users tend to use poor passwords

  2. users share these poor passwords across websites and services

  3. therefore, a compromise at one site often leads to a compromise at
    others

So the question really becomes:

There’s also another downside to OpenID that must be factored in:
the phishing threat. This is where a user thinks he/she is
being redirected to log into their OpenID provider, when in fact they are
being shown an attacker’s website. So, when they enter their credentials the
bad guy has just stolen the password not just to one site, but to every site
they use OpenID with.

But again, we don’t want to give the impression that OpenID is any more
prone to phishing than any other service–it’s not. The issue isn’t an
increased ease of compromise of OpenID credentials (there isn’t any), but
rather the increased damage that could result if they
were compromised.

But if you think that’s bad, it’s nothing compared to the danger we already
face today.

The Weakest Link: Email Password Reset Mechanisms

Most people–and I dare say even most security professionals–don’t
realizethat the greatest vulnerability to website password security doesn’t
comefrom having multiple passwords spread out over many sites. It
actuallycomes from the mother of all single points of failure–the
email-basedpassword reset mechanism.

OpenID is a potential single point of failure, for some subset
ofonline users, at some point in the future. Email, on the other hand, is
asingle point of failure for almost everyone–right now.

Think about it: when you forget your password, how do youreset it for the
majority of the sites you use? Right, email. That meansthat the way into
virtually all those different websites isthrough your email account.
This leads us to a startling conclusion: theabsolute most important password
you have is the password to your emailaccount.

The other backdoor into your accounts is the question-answer system
wherebyyou are asked some questions like, “What’s the name of your favorite
pet?”,or “What was the name of your first High School?” These systems
constitutea major weakness in online security for the simple reason thatguessing these answers is often much easier than guessing yourpassword.

A Risk Discussion

Ok, so now we’ve laid some things out on the table: multiple weak passwords
spread across sites, single points of failure, etc.–let’s look at them, and
see where the risk tradeoffs lead us. Keep in mind: while I am experienced
in information security this analysis definitely subject to interpretation.
Follow me along in my logic and let me know if you disagree.

Many Weak Passwords vs. Single Point of Failure with OpenID

First off, I’d say that using an OpenID with a solid provider, a strong
password (preferably with two-factor authentication) is going to yield an
overall more secure posture for the average user than that same person using
weak passwords (which are often shared) on individual websites. The key here
is that if any of those passwords on those multiple sites are cracked, via
whatever method, it’s likely to lead to the cracking of other sites as well.

Get a weekly breakdown of what’s happening in security and tech—and why it matters.

Phishing

The phishing narrative, which is often relayed in order to dissuade people
from considering OpenID, is not nearly as compelling as it appears. This is
because that same attack would work today, for those same users who’d be
vulnerable to an OpenID phish, if they were to be sent to a fake GMail or
Yahoo! Mail login. That attack is rather trivial, and looks something like
this:

  1. Capture the victim’s email password via phishing

  2. Use the password reset mechanism at the various sites you want to crack
    of theirs

  3. Collect and reset those passwords from the compromised email account

In other words, this attack is nearly identical to the hypothetical OpenID
single-point-of-failure (SPOF) attack, but email account phishing is a
single point of failure that most everyone has, so it’s a threat
right now.

So What Do We Do?

So here are the things you can do immediately to improve your online
security posture:

  1. Go, right now, and change your email password. Make it as complex
    aspossible and don’t use a scheme or pattern that you’ve used in the
    past.Make it around 8 characters (you get diminishing returns beyond
    that) andmake sure to use upper-case, lower-case, numbers, and at least
    one specialcharacter.

  2. Modify your password reset questions and answers for your email
    account
    (if you have them). If you have the option, create your own questions,
    anduse answers that only you would know. Don’t be like Sarah Palin
    (solid advice on a number of levels) and use something that can be
    looked up (she got her email hacked by using her High School name). If
    you’re forced to use canned questions, be tricky: consider answering
    “Friday” for favorite food, or “7129” for your favorite pet’s name.

  3. Sign up for an OpenID account. I suggest PIP from VerisignLabs
    because they offer a number of two-factor options (I use their soft
    token). Make this password a good one, and don’t base it off of any
    patterns you’ve used in the past. Pay special attention to your reset
    mechanisms (see numbers 1 and 2), and enable the two-factor option if at
    all possible. Enable the requirement on your OpenID account (PIP) to
    require that you be signed in before the incoming authentication request
    be granted.

  4. For your sensitive accounts (I’d say this includes social networking
    sites in most cases) use your OpenID account wherever you can
    . And where you do, be sure to change your local, website-based
    password (which you’ll be mapping your OpenID to) to something complex.
    Consider using a password-generator tool for generating and managing
    those passwords–something like 1Password or Password Safe. You hopefully
    won’t have to use them much, as you’ll be using your OpenID in most
    cases.

These four things should enhance your online security significantly, and
doing just the first two will get you a solid measure of the benefits. Also,
if you have anything to add to this analysis, or if you think I’ve
mishandled or omitted something, please do let me know in the comments. ::

Links

[
OpenID
][
Phishing
]

May 23, 2025

0 responses on "Quicksilver + Quicksearches = Ultimate Power"

Leave a Message