[security] how secure is openid? advise pls..
Dan Lyke
danlyke at flutterby.com
Mon Feb 9 21:23:04 UTC 2009
On Mon, 9 Feb 2009 13:53:32 -0700
SitG Admin <sysadmin at shadowsinthegarden.com> wrote:
> The question then becomes - how do you know you can trust a given OP?
Which, when compared to a traditional password situation, becomes "how
do you know you can trust a given user".
> Or, if those assertion are *not* present, inform the user that their
> OP has vouched for them but the level of security is not sufficient
> to permit full services.
Or let them make that call.
I've had at least one bank that made me jump through all sorts of
stupid hoops, but restricted my password choices so much that they may
as well have said "and it has to be your first and last name" (what is
it with banks and restricted password characters? Do they not know how
to escape their SQL?).
I'd feel far happier with unencrypted HTTP through my own site than
trusting what most of my financial institutions do with passwords.
Dan
More information about the security
mailing list