[OpenID] allowing users to switch to opendid-only: pointless?

[SitG Admin]

>Shade: my co-designer's counter-argument would be that there is no
>backdoor if the user just stops using their original password since
>that would make it practically 100% secure.

Ask your co-designer (who doesn't seem very conscientious about 
security) what plans there were for including "password security" in 
the budget. Some sort of brute force protection where the IP in 
question is banned for a short period of time after several 
successive failed attempts, naturally? Validation of apparent IP (for 
example, by CAPTCHA) before accepting password attempts, to prevent 
attackers from spoofing user's actual IP to DoS them? Occasional 
(every month or 6) automatic changing of password to prevent 
long-term brute force attacks (by bot net) from eventually trying 
every combination? How about temporarily disabling the account, so 
the right password wouldn't work, and an attacker would just keep 
rolling through all the combinations, oblivious? But if you're going 
to disable the account, why not just keep it that way?

Before raising any brute-force arguments, ask your co-designer to 
lock a local file with some random password that they won't remember, 
but just "throw away". There doesn't have to be anything important in 
the file, but make sure there's SOMEthing so it can be recognized 
later. Later on, quietly retrieve the file and begin running a brute 
force cracking program against it on a dedicated computer. (You might 
want to make sure, first, that you have a working combination of some 
cracking program and an application that you know will let a 
compatible file be password-locked.) Days or weeks later, present 
your proof that a "forgotten" password CAN be compromised.

>Andrew: my co-designer would say that you are insane. Do you have any
>specific arguments to defend yourself from this accusation?

Objection, leading the witness . . . wait, sorry, wrong context.

There is a fine line between "insane" and "genius" :)

-Shade