[OpenID] allowing users to switch to opendid-only: pointless?

[Nicolas Holzapfel]

Again, please forgive my extremely late reply.

Ask your co-designer (who doesn't seem very conscientious about security)
> what plans there were for including "password security" in the budget.

- Shade

We will be using Media Temple <http://mediatemple.net/> to host the site and
my co-designer believes that they are an indominatable Fort Knox when it
comes to keeping date secure.

 I've confessed to insanity
before<http://twitter.com/aarnott/status/2009287785>.
>  But whether or not I'd want to refute this particular accusation would
> first require that I know on what grounds the accusation stands.  Does your
> anonymous co-designer call my insane because I'd want to disable my
> password?  Personally, I trust my OP much more than I trust my own ability
> to manage hundreds of secure passwords.  So yes, I'd want to disable my
> password.  Short of a password disable feature, I'd change my password to a
> cryptographically strong random password so that neither I nor anyone else
> could ever log in using it again... thus providing me with as much login
> security as my OP affords (which is phishing resistant and more convenient
> than remember so many secure passwords).
>
- Andrew Arnott

My anonymous co-designer would judge you insane on the grounds that by
changing your password to a cryptographically strong random password that
neither you nor anyone else could ever log in again you are, in effect,
disabling your site-specific password, so there is no point whatsoever in
you having the option to disable it in a more straightforward way. The
anonymous co-designer says that since Media Temple is practically
impenetrable, your password is only insecure when you're typing it in, so
since you never type it in again, it is completely secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090626/62d7b88c/attachment.htm>