Geeks With Blogs
Garrett Hoofman ..:: visions of afar ::..

So I was thinking a couple of days ago about password security on web sites. When you sign up for an account you have to give them your username, your password, email address, Residential address sometimes, and all sorts of other information.

What happens when the web site that you entered in all of that information gets hacked into and they steal your username, your password, and your email address. Most people use the same username/email address and password for most of their log ins, including their banking. This means that as soon as a hacker gets access to usernames and passwords even if they're hashed sometimes, they can get into your online banking.

Now how many web sites have you registered yourself on? Any idea? I haven't got the foggiest idea how many I've signed up to. Probably over a hundred sites by now. So, in order to change your user name and password or to remember your user name and password, you have to think really hard about all of the places you've been and all of the passwords you have and come up with the right combination.

So, what if there was a web service that any site could register to and they could get a framework that would allow them to allow users that are also registered with the site to gain access. This way, the individual site doesn't have to store user names and passwords, they are secure. The users would then have a complete list of all of the sites that use the service that they have accounts with. They could easily remove the account with them and they could change their username and passwords in one location. A user would only have to remember one username, and one password for all of the sites that they want access to.

It would be a simple service, that would be made very secure, and impenetrable.

The site would not have access to the users password, because they wouldn't need it, the web service would do the log in check. The site could then have access to the users unique ID, Username, Name, and Email address.

The site would be given a unique key and a password and that's how they would gain access to only users which have signed up for their site. They would only be given read-only access, so there's no worry about sites manipulating user data.

Any ideas around these lines? Suggestions? Or thoughts?

Posted on Friday, September 21, 2007 1:05 PM | Back to top


Comments on this post: A Password Service

# re: A Password Service
Requesting Gravatar...
And how would this be different than ".NET Passport / Live ID" (whatever they're calling it now), or OpenID? Sounds pretty much the same to me.
Left by Mark Erikson on Sep 21, 2007 2:17 PM

# re: A Password Service
Requesting Gravatar...
That was one authentication scheme with ASP.NET and Microsoft Passport actually: authenticate your site with the Passport login.

The downfall of any service like that though is distributed reliability: if the password service goes down for whatever reason, then all the websites that rely on it for registration and login are locked out.

You'd need crazy liability coverage as well: let's say the service did go down, and all of a sudden you have x number of online retailiers screaming bloody murder about how much money in sales their using because they can't have their users login to purchase items, or something along those lines.

Not bashing the idea...its unfortunate that the whole username/password thing has become the monster it is...we need retinal scanners to come down in price and require them as part of every computer.

D
Left by D'Arcy from Winnipeg on Sep 21, 2007 2:18 PM

# re: A Password Service
Requesting Gravatar...
Thank you for the comments. D'Arcy you bring up a very good point, you'd have to have redundancy servers like crazy.
I haven't seen OpenID before, but I'll take a look at it.
Thanks,
Gambit Sunob
Left by Garrett Hoofman on Sep 21, 2007 2:22 PM

# re: A Password Service
Requesting Gravatar...
I stumbled accross this tonight...same sort of idea you had, but apparantly its already received the nod from Microsoft and AOL...

http://openid.net/

D
Left by D'Arcy from Winnipeg on Sep 23, 2007 9:42 PM

Your comment:
 (will show your gravatar)


Copyright © Garrett Hoofman | Powered by: GeeksWithBlogs.net