On 04/16/2011 02:21 PM, AJ ONeal wrote: > More importantly, why isn't SSO being used instead?
Let's say you're developing a public web site and you want people to access it more securely than they would access a blog. What kind of authentication would you use? I doubt it would make sense to use Facebook, Twitter, Google, and so on as a SSO service since people frequently use poor passwords with those services. OpenID has major usability problems. Are there any other SSO options that public web sites can use? (Shibboleth, Kerberos, client SSL certs, and others require client-side configuration, making them useless for public web sites.) > And in the rare case that authorization depends on discrete > authentication, what is the password being used for? > If it's a *bank password*, then J4fS<2 is terribly insecure. > > He has it written in his wallet. Agreed, that's why all password fields should allow passphrases and password meters should rank "this is fun" at least as high as "J4fS<2". > (My bank requires a short (6 min, 8 max) password with randomness. Your bank is foolish to disallow more than 8 characters. > If it's *e-mail*, the strength of the password is incredibly important, Correct. In today's environment, e-mail passwords are effectively SSO passwords. > With the e-mail password you can get the plain-text password sent to you > from any blog or like account. I assume you're also talking about clueful web site operators who store only a salted password hash, never the plaintext password; clueful web sites still allow you to reset your password by sending a secret URL to your email address. > The strongest password is one that you don't write down or give out. > Mathematically fits the bill in my book. I think "mathematically" should be allowed as a password, but not scored very high, since I believe it is much more guessable than a phrase even as simple as "this is fun". Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */