[Seaside] authentication for seaside

Tony Fleig tony.fleig at gmail.com
Wed Dec 29 14:34:36 UTC 2010 

Regarding consolidation of account login security:

I think it depends on the purpose of the password and the account. If
the account exists only to separate one user's data from another's,
then one could argue the password is actually not needed at all; the
username is enough. If, in contrast, the purpose of the password is
for security, then the password is a critically important part of
preventing unauthorized access to the user's information.

Users have for years been using the word "password" and other
easy-to-guess words as their password and many of these users have
suffered the consequences. Entrusting the security of all your on-line
accounts to a single entity, be it Facebook, Twitter, or a national
government provides a single point of failure for the security of the
associated accounts. This is the same reason why using the same
password for multiple accounts is ill-advised.

Passwords are vulnerable not only to on-line hacking, but also to
theft or hacking from within the organization that maintains and
verifies the password. I believe the threat from inside the
password-holding organization is probably as great or greater than the
threat from outside given the greater level of access those inside the
organization have.

I have divided my on-line accounts into two groups: those whose
security is not important because they do not contain any personal
information, and those whose security is indeed important, such as
on-line bank accounts and any account containing personal information
that could lead to identity theft. I use one password for all the
insecure accounts, and a different password for each of the secure
accounts. That way if a password is revealed, only one account is
immediately compromised.

I understand keeping track of many passwords is inconvenient and just
automatically using one's Facebook login at another site is very
convenient. Convenience is also the reason why people use the word
"password" as their password. I, personally, would not use automatic
Facebook or Twitter login for any but my insecure accounts -- and
those are almost by definition, the accounts that are not very
important to me.

I have three friends whose on-line accounts were compromised and who
lost significant amounts of money and suffered months of continued
problems recovering from identity theft. These were not rich people.
This does happen.

I think there is still a place for per-site login and security,
inconvenient as it may be.

More information about the seaside mailing list