[OpenID] Password age and password reset
Breno de Medeiros
breno at google.com
Thu May 14 16:26:58 UTC 2009
One way to see this is that the user's accounts at each of the 10 rps
was abused, and therefore he/she is getting a chance to restore each
to a sane state.
If we had the age of the password (at least for recent password
changes), RPs may be able to detect that the password has changed
since the last time there was a login associated with abusive
behavior, and choose not to request the password change.
This scenario is *much more convenient* for users than the current
practice, when users often enter the same password everywhere and will
have to go through 10 account recovery procedures.
On Thu, May 14, 2009 at 9:04 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> If the user subscribes to 10 rps, can be being asked to change password by
>> any of them, at any moment (at any of n idps) else be "locked out".
>>
>> So far, this is what has been said.
>
> The policy for one RP does not extend to the other RP's - if the one RP
> suspects that the user's password is too old (or too new), it can send the
> user back to the OP with an assertion for and from ITSELF (not any other
> RP's) that the user will be "locked out" from the one RP until certain
> conditions have been met.
>
> There is a related discussion on the specs list about group ID's, some
> implementations of which could result in multiple concurrent active sessions
> - usually a sign of suspicious activity.
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list