<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><BR><DIV><DIV>On 27 Jan '06, at 2:59 PM, David Nicol wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">By using passwords, this SSO system contributes to the password glut</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">rather than helping mitigate it more aggressively.</FONT></P></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>One password is admittedly more than none, but the next time you comment to another blog using your OpenID instead of registering another account, you're already ahead.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I don't know what OS or browser you use, but most have mechanisms for automatically storing and filling in passwords. The Keychain on Mac OS X has pretty good security.</DIV><BR><BLOCKQUOTE type="cite"> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">A better system IMO is to use e-mailed tokens to verify identity.<SPAN class="Apple-converted-space"> </SPAN>Not</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">just at the beginning for e-mail association verification but for sign-in.</FONT></P> </BLOCKQUOTE></DIV><DIV><BR class="khtml-block-placeholder"></DIV>Doesn't that beg the question of what you use to authenticate yourself to your mail server?<DIV><BR><DIV>Seriously, emailing magic cookies is not very secure. It relies entirely on the impracticality of watching the traffic. The message is sent in the clear, so anyone who can see the packets can trivially impersonate that person. Password logins over SSL at least have some crypto protecting them.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Not that passwords aren't a problem. But the realistic solutions I've heard of tend to involve challenge/response protocols with hardware tokens on the user's end (like the CryptoCard™ I have for logging into my employer's VPN.)</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>--Jens</DIV></DIV></BODY></HTML>