top | item 5746296

(no title)

dmoose | 12 years ago

I clicked the lost password link on a site handling legal documents the other day and they sent me a plaintext copy of my password via unencrypted email.

There may be issues with a central identity provider, but given the wide range of horrible choices implemented by so many different websites I think the assumption that keeping identity between you and the site owner is a better choice than trusting a central provider is true only in a limited number of cases.

If I hadn't hit the lost password link I never would have known that they keep an unencrypted copy of my password. Finding one trustworthy central provider at least protects you from unknowingly trusting a large number of incompetent providers.

discuss

kijin|12 years ago

It's been a while since I gave two damns about websites keeping passwords in plain text, because nowadays I use a different randomly generated password for each website. If someone compromises a website's database, my password won't work on any other website, and the only website where it works is already under the attacker's control so there's not much additional damage done.

If we made it very easy for everyone to do the same, I think that the problem of insecure storage can be circumvented for the most part, even without moving to a centralized account management system. My proposal is basically to facilitate widespread adoption of password wallets like LastPass. Since such tools are already used by millions of people and does not require much effort on the part of individual websites, I think it has a better chance of success than trying to move everyone to use Persona.