[Seaside] authentication for seaside

[Sebastian Sastre]

Security is a trade of convenience.

Is not convenient to store your money in your bank (specially when the bank is borrowing it to other people without making you a partner of the dividends) but you do it to enhance the security of your patrimony (and even that sometimes fail).

So you have to analyze and take a stand on how you chose your trade off. The one that is best to make your business to achieve a market fit.

To give you an example, the largest bank around here is loosing hundreds of millions in phishing still they don't give the user the inconvenience of using some kind of hardware to plug just to use their online banking webapp because they know it will be such a mess in their market fit that it would make them to loose even more money (probably a huge lot more).

It's always a trade off. Not always an intuitive one or one that is all that good 

Things can go wrong, so we have to do everything to make them 1. non-fatal and 2. fast-recovereable after that life will find out its way by itself



On Dec 29, 2010, at 12:34 PM, Tony Fleig wrote:

> Regarding consolidation of account login security:
> 
> I think it depends on the purpose of the password and the account. If
> the account exists only to separate one user's data from another's,
> then one could argue the password is actually not needed at all; the
> username is enough. If, in contrast, the purpose of the password is
> for security, then the password is a critically important part of
> preventing unauthorized access to the user's information.
> 
> Users have for years been using the word "password" and other
> easy-to-guess words as their password and many of these users have
> suffered the consequences. Entrusting the security of all your on-line
> accounts to a single entity, be it Facebook, Twitter, or a national
> government provides a single point of failure for the security of the
> associated accounts. This is the same reason why using the same
> password for multiple accounts is ill-advised.
> 
> Passwords are vulnerable not only to on-line hacking, but also to
> theft or hacking from within the organization that maintains and
> verifies the password. I believe the threat from inside the
> password-holding organization is probably as great or greater than the
> threat from outside given the greater level of access those inside the
> organization have.
> 
> I have divided my on-line accounts into two groups: those whose
> security is not important because they do not contain any personal
> information, and those whose security is indeed important, such as
> on-line bank accounts and any account containing personal information
> that could lead to identity theft. I use one password for all the
> insecure accounts, and a different password for each of the secure
> accounts. That way if a password is revealed, only one account is
> immediately compromised.
> 
> I understand keeping track of many passwords is inconvenient and just
> automatically using one's Facebook login at another site is very
> convenient. Convenience is also the reason why people use the word
> "password" as their password. I, personally, would not use automatic
> Facebook or Twitter login for any but my insecure accounts -- and
> those are almost by definition, the accounts that are not very
> important to me.
> 
> I have three friends whose on-line accounts were compromised and who
> lost significant amounts of money and suffered months of continued
> problems recovering from identity theft. These were not rich people.
> This does happen.
> 
> I think there is still a place for per-site login and security,
> inconvenient as it may be.
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20101229/5d3290ba/attachment-0001.htm