I've been trying to get these two to play nicely together for a while, and it looks as if Will Norris may have finally slain this here dragon. Will is the principal author of the Wordpress OpenID plugin.
In an ideal world, people never, ever disclose passwords on unprotected Internet connections. In general this means the server has to provide SSL support. However, you can sort of sidestep the problem by using OpenID. It's not perfect, but it addresses that particular vulnerability. (Revised 1/28)
Will Norris is working on a revision to OpenID for WordPress. This is good, and I have some observations and suggestions. At the moment the OpenID plugin works pretty well - I have separate logins delegated through domains I own. I routinely log in through OpenID for both routine and administrative activities.
It's no surprise that someone managed to reset Sarah Palin's password on a freebie e-mail account. She's a public figure and the answers to her so-called "security questions" are on the public record. It's one thing to do personal and political e-mail on a Yahoo account but it's DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.
Large scale vendors like Yahoo and Google can't help but do a bad job at authentication. This is why OpenID poses such promise - it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones.
These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.
There are four patterns: local, direct, indirect, and off-line.
Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for "works every time" OpenID delegation with their free PIP service. First, what is OpenID delegation?
Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use http://www.cryptosmith.com/ to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.
Randall Stross/Digital Domain has posted a NYT story on passwords, Open ID, and Information Cards.
The "Information Card Foundation" is only a few weeks old, and the technique is trying to solve problems with both passwords and with Open ID. The posting roasts the old chestnuts about how bad passwords are (does anyone really need convincing?), then roasts Open ID a bit, and then introduces Information Cards, a slightly more flexible but still vulnerable technology.
Personally, I'm not convinced that Information Cards are any safer or easier to use than Open ID can be.