So I was thinking a couple of days ago about password security on web sites. When you sign up for an account you have to give them your username, your password, email address, Residential address sometimes, and all sorts of other information.
What happens when the web site that you entered in all of that information gets hacked into and they steal your username, your password, and your email address. Most people use the same username/email address and password for most of their log ins, including their banking. This means that as soon as a hacker gets access to usernames and passwords even if they're hashed sometimes, they can get into your online banking.
Now how many web sites have you registered yourself on? Any idea? I haven't got the foggiest idea how many I've signed up to. Probably over a hundred sites by now. So, in order to change your user name and password or to remember your user name and password, you have to think really hard about all of the places you've been and all of the passwords you have and come up with the right combination.
So, what if there was a web service that any site could register to and they could get a framework that would allow them to allow users that are also registered with the site to gain access. This way, the individual site doesn't have to store user names and passwords, they are secure. The users would then have a complete list of all of the sites that use the service that they have accounts with. They could easily remove the account with them and they could change their username and passwords in one location. A user would only have to remember one username, and one password for all of the sites that they want access to.
It would be a simple service, that would be made very secure, and impenetrable.
The site would not have access to the users password, because they wouldn't need it, the web service would do the log in check. The site could then have access to the users unique ID, Username, Name, and Email address.
The site would be given a unique key and a password and that's how they would gain access to only users which have signed up for their site. They would only be given read-only access, so there's no worry about sites manipulating user data.
Any ideas around these lines? Suggestions? Or thoughts?