http://bugs.winehq.org/show_bug.cgi?id=28660
Bug #: 28660 Summary: appdb uses phisable/replayable credentials Product: WineHQ Apps Database Version: unspecified Platform: All OS/Version: All Status: UNCONFIRMED Severity: minor Priority: P2 Component: appdb-unknown AssignedTo: wine-bugs@winehq.org ReportedBy: kevinperson@topicbox.com Classification: Unclassified
The recent compromise of the winehq authentication databases highlights the problem with using passwords as authentication credentials: they can be stolen, and then you have to tell all your users their passwords are out there.
Use of an authentication server like OpenID (you can't lose secrets if you don't keep them on your server) or a challenge-response scheme like client-side SSL certs or phone verification avoids this problem.
http://bugs.winehq.org/show_bug.cgi?id=28660
--- Comment #1 from Ken Sharp kennybobs@o2.co.uk 2011-10-11 17:52:41 CDT --- Very few users understand how any of that works. They won't be interested.
The current method if the easiest way for new users to sign up.
http://bugs.winehq.org/show_bug.cgi?id=28660
--- Comment #2 from Austin English austinenglish@gmail.com 2011-10-11 18:09:22 CDT --- OpenID is woth discussing. Phone verification is overkill IMHO, AppDB doesn't control user's finances...
http://bugs.winehq.org/show_bug.cgi?id=28660
André Pirard A.Pirard@ulg.ac.be changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |A.Pirard@ulg.ac.be
--- Comment #3 from André Pirard A.Pirard@ulg.ac.be 2011-10-12 07:44:54 CDT ---
Very few users understand how any of that works.
That's because very few administrators care to spare users BIG PROBLEMS. OpenID is MUCH easier to understand that e-mail. It should be RECOMMENDED because very few users understand even less how to manage 100 different passwords and not using OpenID causes disasters.
http://bugs.winehq.org/show_bug.cgi?id=28660
--- Comment #4 from Kevin Turner kevinperson@topicbox.com 2011-10-12 12:02:46 CDT --- I expect Linux users who are filing bug reports are on the more technical side of the curve, and while "OpenID" might not have the user recognition we'd hope for, I expect if you put a "Log In with Google" button on there people would know what it does.
(And a "Log In with Launchpad" and a little "enter your OpenID" link tucked away for those of us who are still trying to keep the dream of a decentralized system alive.)
http://bugs.winehq.org/show_bug.cgi?id=28660
--- Comment #5 from André Pirard A.Pirard@ulg.ac.be 2011-10-12 16:26:22 CDT --- A "Log In Google" with any OpenID would be terribly effective, but Google is just too eager to know who logs in where and when. They allow their ID to be used anywhere but not the opposite. And they support OpenID. Launchpad is the joker case: they claim to support logging in with OpenID, but only with their own ID ;-) In fact, they use it internally to simplify sharing their database among their services. Apart from quite a number here and there (one just too easily misses the button), I know SourceForge. I wanted to recommend Wikipedia to replace their anonymous updates with OpenID but I don't know where to e-mail and I'm already doing too much. It's easy for the user with a good howto and OpenID seem(ed?) to help the adm. Or Google, maybe?
http://bugs.winehq.org/show_bug.cgi?id=28660
--- Comment #6 from André Pirard A.Pirard@ulg.ac.be 2011-10-16 17:32:04 CDT --- (In reply to comment #4)
I expect Linux users ... on the more technical side of the curve,
Well, can err.. other users not use an online payment system through a third party financial site such as Paypal? OpenID uses exactly the same site-swapping procedure, except that it's far easier to sign up for -- and mostly finance :-) -- an Open ID than a credit card.
http://bugs.winehq.org/show_bug.cgi?id=28660
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Platform|All |Other OS/Version|All |other
--- Comment #7 from Austin English austinenglish@gmail.com 2012-02-23 15:19:56 CST --- Removing deprecated 'All' Platform/OS.
http://bugs.winehq.org/show_bug.cgi?id=28660
--- Comment #8 from Ken Sharp kennybobs@o2.co.uk 2013-07-15 19:46:11 CDT --- (In reply to comment #4)
I expect Linux users who are filing bug reports are on the more technical side of the curve
If that were true the triage team would have an easy life. Try reading a few bug reports.
(In reply to comment #3)
very few users understand even less how to manage 100 different passwords and not using OpenID causes disasters.
That makes no sense. You're suggesting that very few users understand how e-mails and passwords work? How do you log in to an OpenID account? Facial recognition?
Using a single OpenID account is no more secure than using the same e-mail and password on multiple sites, nor is it worth the additional hassle.
http://bugs.winehq.org/show_bug.cgi?id=28660
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugs.winehq.org/show | |_bug.cgi?id=28674
http://bugs.winehq.org/show_bug.cgi?id=28660
--- Comment #9 from André Pirard A.Pirard@ulg.ac.be 2013-07-16 04:17:01 CDT ---
Using a single OpenID account is no more secure than using the same e-mail and password on multiple sites, nor is it worth the additional hassle.
This is maybe why many sites offer to login with a Google or Facebook or whatever account and require that you be affiliated with them. OpenID is the no affiliation equivalent.
It is absolutely no hassle at all, just a bit of understanding that it "works like Google" which is by far a more complicated authorization system.
Mind you, changing a single compromised password is easier than 200. The problem is getting control of your account again. But maybe they'll all read this one day: http://www.papou.byethost9.com/notes/lost_account_recovery.html
OpenID is not for highly sensitive accounts. But these are usually not protected by a plain password anyway.
-
wine-bugs@winehq.org