[thelist] [OT] OpenID

Jack Timmons jorachim at gmail.com
Tue Mar 24 20:04:55 CDT 2009

On Tue, Mar 24, 2009 at 6:52 PM, Jim Puls <jim at nondifferentiable.com> wrote:

> Not to try to move the discussion elsewhere, but I've written a few more
> words on the subject:
> http://bit.ly/future-of-openid
> -> jp

I'd have to definitely disagree with your first post. Basically what you're
saying is "Instead of separating your account logins with different
passwords so if one is compromised, the rest remain safe, put all your eggs
into Google's basket, that way if someone figures out just that one, they
have free reign of everything you use associated with it."

No, thanks.

As for point number two, if you -don't- emphasize security on your login
forms, you deserve what happens (a la Twitter). Safeguarding against
dictionary attacks, SQL injection, ensuring users can't cause XSS attacks,
etc should be pretty standard fare to any developer.

And trust Google and Yahoo to authenticate my users? What if they go down?
What do I do then? Before you go the "Oh, they're mega tycoons, they'll
never go down", that's not the point. (Lehman Brothers ring a bell? AIG?
.com collapse?) I don't want to rely on someone else to make sure people can
use my website.

On a side note, I am enjoying the discussion, and I do hope I can feel like
I've been proven wrong, it's just that thus far, there's no real reason I
should use OAuth.

-Jack Timmons
Twitter: @codeacula

More information about the thelist mailing list