{"id":84,"date":"2008-01-28T00:06:13","date_gmt":"2008-01-28T08:06:13","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/01\/28\/one-username-to-rule-them-all\/"},"modified":"2008-01-28T00:06:13","modified_gmt":"2008-01-28T08:06:13","slug":"one-username-to-rule-them-all","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/01\/28\/one-username-to-rule-them-all\/","title":{"rendered":"One Username to Rule Them All"},"content":{"rendered":"

My husband has been working on a pet project lately that needs to have a user login system.\u00a0 Although he could build one himself or purchase a system, he is probably going to go with OpenID.\u00a0 Using OpenID simplifies the project immensely and is probably more secure than anything he or I could write.\u00a0 Already it is estimated that there are over 160-million OpenIDs with nearly ten-thousand sites supporting OpenID logins (http:\/\/openid.net\/what\/<\/a>).\u00a0 But it does beg the question, how secure is OpenID?<\/font><\/p>\n

OpenID is \u201can open, decentralized, free framework for user-centric digital identity (http:\/\/openid.net<\/a>)\u201d.\u00a0 \u00a0Basically, a user sets up an account with one of several OpenID Providers (openid.net, aol.com, etc.).\u00a0 The provider keeps the username, password, email and all sorts of other account information the user wants there.\u00a0 When the user goes to a site that uses OpenID authentication (blogger.com, lol.com, and more<\/a><\/font>), they enter their OpenID and are redirected to the Provider\u2019s site.\u00a0 Here they enter their credentials and grant access to the referring website.\u00a0\u00a0 That is the process in a nutshell, but see this video <\/a>for a really great, succinct explanation.<\/font><\/p>\n

The driving idea behind OpenID is to have only one set of credentials for all your online identities.\u00a0 This way you do not have to remember which username goes to which website and passwords for each.\u00a0 Sounds pretty good\u2026 but what happens if your OpenID is compromised.\u00a0 An adversary has access to ALL your online accounts.\u00a0 The consequences of a compromised OpenID are intense.\u00a0 On the other hand, people generally use the same username and password for everything anyways, which is definitely a security problem and has the same consequences of a compromised OpenID.<\/font><\/p>\n

Benefits of OpenID are that small businesses and developers do not need to implement their own login system, users can change personal information or passwords once and have it apply everywhere, and users are less likely to do dumb things like write lists of usernames and passwords.\u00a0 <\/font><\/p>\n

However, OpenIDs have some problems also.\u00a0 First, OpenIDs are URLs- for example, http:\/\/inkblotpassword.com\/id\/jessica.\u00a0 For an average user, a URL is difficult to remember and very unfriendly.\u00a0 Personally, I think users would get used to it just as they have with email addresses.\u00a0 There is nothing innately harder about URLs. The OpenID system is prone to phishing attacks because the user is redirected to the provider\u2019s page which could easily be imitated.\u00a0 There have been problems with CSRF attacks (cross site request forgery attacks). \u00a0One of the largest providers, MyOpenID.com site, had this issue, but when notified, they reacted promptly<\/a>.\u00a0 Another issue is that the set of specifications that a provider must implement is fairly small.\u00a0 There are no requirements on the strength of passwords or even to have a password.\u00a0 <\/font>From a security standpoint, OpenID just adds another layer of complexity for things to go wrong.\u00a0 It also puts a burden on the user to choose a provider they can trust.\u00a0 <\/font><\/p>\n

With all this in mind, is OpenID a good system?\u00a0 Will it prove to be the downfall of the Internet as some naysayers have speculated? Or will it bring about a revolution in convienence?\u00a0 Should\u00a0a website use OpenID as their username and password management system?\u00a0 Would it be an acceptable system for banks or other financial institutions?<\/font><\/p>\n

<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"

My husband has been working on a pet project lately that needs to have a user login system.\u00a0 Although he could build one himself or purchase a system, he is probably going to go with OpenID.\u00a0 Using OpenID simplifies the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":43,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[72,71,16],"class_list":["post-84","post","type-post","status-publish","format-standard","hentry","category-miscellaneous","tag-account-management","tag-openid","tag-security"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/84","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=84"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/84\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}