WordPress and OpenID Meet SSL

January 26th 2009

I’ve been trying to get these two to play nicely together for a while, and it looks as if Will Norris may have finally slain this here dragon. Will is the principal author of the WordPress OpenID plugin.

In an ideal world, people never, ever disclose passwords on unprotected Internet connections. In general this means the server has to provide SSL support. However, you can sort of sidestep the problem by using OpenID. It’s not perfect, but it addresses that particular vulnerability. (Revised 1/28) Continue Reading »

Posted under Security | 2 Comments »

Revising OpenID for WordPress

September 21st 2008

Will Norris is working on a revision to OpenID for WordPress. This is good, and I have some observations and suggestions. At the moment the OpenID plugin works pretty well – I have separate logins delegated through domains I own. I routinely log in through OpenID for both routine and administrative activities. Continue Reading »

Posted under Security & WordPress | 2 Comments »

Easily Reset Passwords and OpenID

September 20th 2008

It’s no surprise that someone managed to reset Sarah Palin’s password on a freebie e-mail account.  She’s a public figure and the answers to her so-called “security questions” are on the public record. It’s one thing to do personal and political e-mail on a Yahoo account but it’s DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.

Large scale vendors like Yahoo and Google can’t help but do a bad job at authentication. This is why OpenID poses such promise – it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones. Continue Reading »

Posted under Security | No Comments »

“Design Patterns” for Identity Systems

September 18th 2008

These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.

There are four patterns: local, direct, indirect, and off-line.

Continue Reading »

Posted under Security | No Comments »

Next »