OpenID Security Discussion

Here are the slides that we presented during the OpenID Summit. The basic premise was to identify the list of issues that have been mentioned in the past and classify them as

• Protocol Issues
• Browser / Http Issues
• Deployment Issues.

Breno (Google) had a follow up session at IIW to address the protocol issues.

OpenID Protocol Issues

Michael Hanson (Mozilla)  and Jeff had a session to address browser / http issues. (Still trying to find notes from that session).

Show Password

Ever forgot a saved password? Enter the following Javascript code in your browser’s address bar to reveal the hidden password:

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) alert("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();
You can even create a new bookmark and enter the above in the location field. It takes one click to see the password then.

How do you manage your passwords?

Since passwords aren’t going away for now, I asked a few on how do they manage their passwords. Here are some responses:

• Write them on a paper / notepad and keep it in the drawer.
• Keep them in a Word/Excel spreadsheet and password-protect the file.
• Use client-based software (example: KeePass, PasswordSafe, 1Password).
• Use external password managers that plugs into your PC (example: IDVault, IronKey) – to avoid the portability issue with the previous option.
• Use the browser ‘remember password’ feature.
• Use browser based password managers (example: Roboform, Sxipper, LastPass).
• Use the same password everywhere (hey…most convenient and SSO )
• Use the same password for a set of sites and mentally segregate them in various categories (e.g. work, home, finance).
• Use the same password everywhere but a different username.
• Use a personal algorithm (example: AbC<sitename>123). Easy to remember; portable; different for each site and results in a complex password.
• Use a passphrase (example: “I really love this blog” or a derivation “irltb”. Even better if the phrase is in a foreign language).

By the way, here are some good tips from Microsoft on creating passwords.

Random Password Statistics

• Number of online accounts that an average user has: 25
• Number of passwords that an average user has: 6.5
• % of US consumers that use 1-2 password across all sites: 66%
• Number of times an average user login per day: 8
• Average password length: 8
• Most commonly used password: password1
• % of users that use personally meaningful words: 54.9%
• % of users that use the ‘Remember my password’ function: 28.6%
• % of users that write down their password: 15%
• Average time users maintain the same password: 31 months.

Sources:

• http://research.microsoft.com/en-us/um/people/cormac/Papers/www2007.pdf
• http://news.cnet.com/8301-1009_3-9989071-83.html
• http://www.gartner.com/it/page.jsp?id=895012
• http://psychology.wichita.edu/surl/usabilitynews/81/Passwords.asp