Another reason to reconsider your password approach

According to Finjan Inc., Google’s anti-phishing blacklist (used, for example, in their Firefox extension) apparently contained various phished usernames and passwords, suggesting that you really should not use the same username and password combination across the web.

Interestingly, OpenID would have, to some degree, mitigated this breach by moving the username and password combo off by one step, so at worst, the only credentials compromised would have been the publicly known identity provider URL.

I’ll be posting more about the topic soon, but I think that, in this particular case, the OpenID model would have been slightly more secure in concealing the high value information (namely your username and password credentials), and, better still, in the case of a breach, if you still had access to your account, you’d be able to change your password once and reduce the vulnerability of the remote sites that you use your OpenID to login to.

And, note that I’m not talking about the serious matter of spoofing your OpenID provider… in which case OpenID is no better than any other phishable site.

Author: Chris Messina

Head of West Coast Business Development at Republic. Ever-curious product designer and technologist. Hashtag inventor. Previously: (YC W18), Uber, Google.

One thought on “Another reason to reconsider your password approach”

  1. I’m with you on this – I am waiting for the OpenID or something like it to really improve and get some backing to help with all of this. I have 2-3 username/password combos across the web. Any more and I’d forget them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: