Another reason to reconsider your password approach

According to Finjan Inc., Google’s anti-phishing blacklist (used, for example, in their Firefox extension) apparently contained various phished usernames and passwords, suggesting that you really should not use the same username and password combination across the web.

Interestingly, OpenID would have, to some degree, mitigated this breach by moving the username and password combo off by one step, so at worst, the only credentials compromised would have been the publicly known identity provider URL.

I’ll be posting more about the topic soon, but I think that, in this particular case, the OpenID model would have been slightly more secure in concealing the high value information (namely your username and password credentials), and, better still, in the case of a breach, if you still had access to your account, you’d be able to change your password once and reduce the vulnerability of the remote sites that you use your OpenID to login to.

And, note that I’m not talking about the serious matter of spoofing your OpenID provider… in which case OpenID is no better than any other phishable site.

One Comment

  1. motherduce said
    at 2pm on Feb 1st # |

    I’m with you on this – I am waiting for the OpenID or something like it to really improve and get some backing to help with all of this. I have 2-3 username/password combos across the web. Any more and I’d forget them.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*