[OpenID] allowing users to switch to opendid-only: pointless?

[Andrew Arnott]

On Fri, Jun 26, 2009 at 3:31 PM, Nicolas Holzapfel <signup at nholz.com> wrote:

> I've confessed to insanity before<http://twitter.com/aarnott/status/2009287785>.
>>  But whether or not I'd want to refute this particular accusation would
>> first require that I know on what grounds the accusation stands.  Does your
>> anonymous co-designer call my insane because I'd want to disable my
>> password?  Personally, I trust my OP much more than I trust my own ability
>> to manage hundreds of secure passwords.  So yes, I'd want to disable my
>> password.  Short of a password disable feature, I'd change my password to a
>> cryptographically strong random password so that neither I nor anyone else
>> could ever log in using it again... thus providing me with as much login
>> security as my OP affords (which is phishing resistant and more convenient
>> than remember so many secure passwords).
>>
> - Andrew Arnott
>
> My anonymous co-designer would judge you insane on the grounds that by
> changing your password to a cryptographically strong random password that
> neither you nor anyone else could ever log in again you are, in effect,
> disabling your site-specific password, so there is no point whatsoever in
> you having the option to disable it in a more straightforward way. The
> anonymous co-designer says that since Media Temple is practically
> impenetrable, your password is only insecure when you're typing it in, so
> since you never type it in again, it is completely secure.


I think it was Shade who pointed out after my comment about changing my
password to some crazy value that that still isn't as secure as disabling
the password, since a "password recovery" step might easily allow someone to
circumvent that security and commandeer my password and thereby my identity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090626/f9ddc836/attachment.htm>