[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Waters wrote: > Presumably people will have several OpenID identities (I expect the > spammer already have 10,000's), as you wouldn't want to discovered you > can't post to "natwestsucks.com" because they just suspended your bank > account. If that does become reality then you're back to the original issue of 'errmmm.. which password did I use with this ID?' which is what they're aiming to stop in the first place. I would hope that the OpenID developers have been sensible enough to have one of those graphical 'type what you see above to prove you're human' verification pages to prevent hackers using bots to create bulk OpenIDs. Failing that, prevent IDs being created too often from the same IP address/machine e.g. stop them registering new IDs more than once every 5 minutes. That way 10,000 OpenIDs (for example) would take 34.72 days - I doubt any hacker is that patient. When I worked in Tech Support I had one customer who I saw had rung in previously the same morning five times already. He wanted to confirm his UID and PWD. After he rang off I checked the other calls.... yep... every call was username/password. He was by no means the only one over the 6.5 years. The only good thing I can say is that he obviously hadn't written it down anywhere, or clicked the 'Save Password' box. Personally I think sites that use authentication should just make 'Password Reminder' pages a lot more accessible. Security integrity is maintained as you don't have a single point for every password and system, and the client gets security. You could even get their password sent via SMS instead of email if the user was concerned about it being emailed to them. Kind regards, Julian -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html