[OpenID] Password age and password reset

[Breno de Medeiros]

I share with you the concerns about the password age. However,
depending on the shape the spec takes, I think your concerns can be
addressed. For instance, for the purposes we describe, only knowing if
the password age is less than say, a few minutes or hours would be
sufficient to determine if password reset took place recently.

I don't mean to force password reset. Note in usability considerations
that OPs will suggest that the user might want to change the password
based on a request for the RP. It might also say that if the user
refuses to change the password, it may not be able to login to the RP.
The OP can also use that as a signal that there may be suspicious
activity in the account.

Issues of RP trust are not as important here as you may think. If only
the fact that the password was changed recently is shared, RPs and OPs
can infer trust in their respective signals via statistical models and
regression. I think we should avoid the issue of trust altogether in
this discussion, because it can be incorporated in an ad-hoc basis.

We also agree that there are probably more signals that would be
useful to share, but so far in various discussions the time since last
password reset has appeared as an objective measure that can be of use
for most parties.

On Tue, May 12, 2009 at 4:53 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> I do think it's odd than an RP can force a password change. It sounds like
> you're looking for a mechanism for an RP to report "suspicious activity" on
> an account. Perhaps the best solution would be for the RP to just inform the
> user of suspicious activity, and to recommend that the user change their PW.



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)