OSNews

Hands done. just the rest of the body to go.

Good point.

I'll pay that. Good point really. I still think it's neat they're offering it though.

Do those third party sites actually get your password though? I would think they don't, they just use MS's service which validates your login. Your password would still be stored only with Microsoft, at least I would think. Otherwise you're right, it would be a big security risk.

It is a terrible idea to store a password. Much better to store only a representation, such as an MD5 or SHA1 of the password.

Actually, I prefer encrypting data solely owned by the owner, with the owners password.

It depends on the data. Often the website system has to be aware of the content of the users data (when they aren't logged in) in order to work.

Actually, you're about 3 years out of date. SHA1 and MD5 passwords can be guessed using Rainbow codes. You should encrypt a password hash, or use some other, private obfuscation method to prevent rainbow cracking.

The password is only stored with Microsoft the website can make calls to pull user information or if it is relative credit card information, color theme, also with this authentication you can add Live services to your website such as if you signed into osnews you would be able to access your email or contacts right in osnews without having to open a seperate Windows Live Hotmail window.

There's lots of places where not having an extra password to remember would be a real boon, without being a major security risk. Web forums for one. Also, I imagine Microsoft's servers are more secure than anything this would replace (I can feel the flames..), and once your credit card data has been nabbed, what more harm can be done?

As far as I know, the sites that implement it never get your password. Microsoft simply tells the site that you are a valid live user.

Where is the weakpoint?

The Live part?

If your password gets stolen, or your 'valid Live identification' gets spoofed, the end result is the same regardless.

Right. How is that any different from your password getting stolen for any specific site?

There's a huge difference between having the same identity on all sites and having different identities on all sites.

The biggest flaw in having one ID mechanism is having one ID mechanism.

EDITED: Ought to add that having your cross-site ID stolen means your ID is stolen for all sites using that mechanism whereas using a non cross-site mechanism leaves you with a more fragmented but also safer solution. Only the site where your login handle and password is broken will be unsafe. All the others will be safe (if you have remembered NOT to use the same password for all sites

Almafeta is quite right on this issue (did I really write that!?) and me agreeing with him is more rare than me agreeing with you

OpenID suffers from the same problems, because they stem from the nature of such global solutions.

Edited 2007-08-17 16:21 UTC

Problem is though, that we're human and the majority of us will not remember 20 different passwords for the sites we go to on a regular or occasional basis.

Most people I know use the same 3 or 4 passwords all the time. But then some sites let you create a username while others want your email, etc... It becomes hard to keep track of that stuff.

So on a practicality point of view, MS's initiative is a good idea.

On a security point of view, I suppose you have to decide if you prefer Microsoft's site to have your information and let sites you authorize access it on a need to know basis, or if you want a multitude of sites have a subset of your information.

Quite frankly it seems there's no ultimately secure option other than not giving your information to anybody. Because in the end you have no way to prevent some dude working for some website you shop at from getting his laptop stolen from his car with a backup of the site's database on it...

And as for MS's possible hidden agenda in doing that. I suppose it's another way to gather marketable stats about what people do and like so you can better target your advertising.

If I set up my own Open ID server, I could assign one set of login credentials for Site A, another for Site B, and yet another for Site C.

If someone was able to break into Site B's database server and siphon off the credentials of all Site B's customers then my credentials for Site A and Site C would be unaffected. However, if I was like John Doe and only used a single set of login credentials for every site I used it would be a major issue as all sites I used would be affected.

Would I personally use MS's authentication system? No - I can fully understand why plenty of other people would though. Proper security is a fine ambition, but if it's not simple enough for the public to use it then it'll be rendered virtually useless.

>> As far as I know, the sites that implement it never get your password. Microsoft simply tells the site that you are a valid live user.

What about Phishing? The website may say the password is going straight to Microsoft but how difficult is it for someone to setup a spoof site which accepts your username and password and then logs you in?

I am sure it is possible to over come most of the risk, however how do you train the users to spot phishing attempts?

What about Phishing? The website may say the password is going straight to Microsoft but how difficult is it for someone to setup a spoof site which accepts your username and password and then logs you in?

That's a completely separate problem that can't really be addressed with this.

You shouldn't login to a site you don't trust. If you go to a site that is spoofing a site you DO trust, you have bigger problems.

It could be more secure. People tend to reuse logins and passwords anyway - that way your identity is effectively only as well protected as the protection of the weakest link. Too often in the last years have I seen warnings on websites that they were hacked and someone made off with a userlist and unprotected passwords.

MS in this case is in the business of selling trust. Like a bank they offer a certain level of security and in turn you allow them to manage your identity (like the bank manages your financial identity.) It all depends what you prefer, all your money in the bank or hidden around your house under the mattras, in the sockdrawer, ...

So far Microsofts Live ID has proven to be not particularly safe. Using Live ID (or any other such global ID) pretty much equals using the same login handle and password for all websites. Perhaps it is a bit safer than having a lot of identical login handles and passwords for a lot of semi-insecure websites, but global ID's are still less safe than different login handles and different passwords.

Of course it is. Alternatives are obviously an evil thing.

I would like to think that eventually Microsoft will be able to work to make the two ID standards communicate together like they did with Yahoo reguarding IM clients

They'll do part of that—they'll make WLID an OpenID provider. Everyone will get name.passport.com or something as their OpenID.

Will they ever let you sign up and log into Hotmail or Messenger with an OpenID, though? Not a chance in hell.

Here is one opinion about OpenID:
http://miksovsky.blogs.com/flowstate/2007/08/openid-great-id.html

Great link for someone unfamiliar with OpenID. Thanks.

Or *shock* Project Liberty!

Not to sound completely redundant, but there is already one setup with major backing - why re-create yet another technology simply to 'stick it to the man'?

Frankly, I think that centralized authentication is a *horrible* idea. But it is something that people *will* buy into. When security and convenience collide, convenience will win, hands down.

Microsoft's offering is a given. I hope that everyone else can get behind one other "solution".

After the slaughter that will likely result from everyone's identity being stored in one place... the web will likely rebound back to everyone having their own auth mechanisms.

Hence the reason why Project Liberty is actually gaining traction over Microsoft's - because it is federated; those who have the information can control what information is shared. It also allows the end user to control what is shared.

Like I said, the specifications are there, the problem is, there is a giant grab to get the technology to allow control over the information centrally - from what I see, it has nothign to do with competition and everything to do with many vendors wanting to control all the information. Neither are going to win major commercial backing if that is ultimately the approach taken.

There has been many "slaughters" in the past, people got their credit card numbers stolen, their email read by unauthorized persons and even deleted. That changed nothing and never will. As you said, when security and convenience collide, convenience will win, hands down.

As far as security is concerned, nothing stays in a way of centralized authentication.

As long as you have your web hosted, you are at mercy of providers personnel anyway, they can sell your data, or simply be sloppy with basic security.

Reliability is another problem. If ID provider is unreachable, your web is not accessible.

.. to load up a site like this one for example, and the site asked me for my Microsoft ID, I would leave the site and never re-visit.

Man don't give them any personal info, just create a bogus hotmail account with fictional name etc. and use that.

Just because they ask for your info dosen't mean you gotta be honest.

"""

"""

Because, as we all know, dishonesty is the best policy. :-)

Has the Internet made us all this nasty, or has it simply exposed us for what we are?

Edited 2007-08-17 18:38

Because, as we all know, dishonesty is the best policy. :-)

I think of it more as protecting yourself from spam and the possibility of identity theft. The less of yourself you *put* online the less of a chance you'll have problems later.

Has the Internet made us all this nasty, or has it simply exposed us for what we are?

Companies have conditioned this behavior through the selling of our information and the constant bombardment of advertising.

There is nothing nasty about protecting yourself or 'opting' out of possibly marketing by entering incorrect information.

What reason should someone need my home address when all I want to do is sign in to a forum on the net? None that I can think of! :)

I've been using password/live for a while on various sites with no problems.

The only time I have seen Passport take awhile is when Microsoft did a new drop in the Vista beta where you have 10,000 kids all pressing F5 at the same time to get it first. And even with that their servers still hold well.

Hotmail spam detection is not about preventing spam but about forcing website owners to pay $1000s subscription to some whitelist.