Awesome news.

Wow, I’m really enjoying the latest version of the DISQUS comment system. I’m especially pleased to see support for OpenID added in, and it actually worked exactly as expected.

I linked my OpenID URL (danielmiessler.com) to my DISQUS account, and then elected to post a comment to DISQUS using an OpenID profile. Well, since I was already logged into my OpenID provider, once I supplied my OpenID I was transparently logged in as my DISQUS account.

Very slick.

Humans are notoriously poor at weighing risk. We use emotion, rather than reason, to judge what’s truly dangerous, which is why most Americans being afraid of handguns in the home more than swimming pools when it comes to child safety.

And it’s the same with online security. People worry about scary hackers penetrating through firewalls and stealing passwords for websites they use, but the reality–just like with swimming pools–is usually much more mundane (and dangerous).

The Real Threat

Most people–and I dare say even most security professionals–don’t realize that the greatest vulnerability to online account security doesn’t come from having multiple passwords spread out over many sites, or even from proposed identity consolidation systems like OpenID. It actually comes from the mother of all single points of failure–the email-based password reset mechanism.

Systems like OpenID are potential points of failure, for some subset of online users, at some point in the future. Email, on the other hand, is a single point of failure for almost everyone–right now.

Think about it: when you forget your password, how do you reset it for the majority of the sites you use? Right, email. That means that the way into virtually all those different websites is through your email account. In other words, the single most important password you have is the password to your email account.

The Mother of All Backdoors

Unfortunately, gaping holes exist in our current online password security systems–including those on email accounts. The hole comes in the form of question-answer reset systems, whereby you are asked some questions like, “What’s the name of your favorite pet?”, or “What was the name of your first High School?” in order to reset your password. These systems constitute a major weakness in online security for the simple reason that guessing these answers is often much easier than guessing your actual password.

So the bottom line is that if someone can backdoor your email account through a weak reset mechanism, they will then own your single point of failure for all your other online accounts. This is the swimming pool of online attacks because it yields way more passwords per year than super-hackers, but it gets far less attention.

So What Can We Do?

Here are the things you can do immediately to improve your online security posture:

1. Go, right now, and change your email password. Make it as complex as possible and don’t use a scheme or pattern that you’ve used in the past. Make it around 8 characters (you get diminishing returns beyond that) and make sure to use upper-case, lower-case, numbers, and at least one special character.

2. Modify your password reset questions and answers for your email account (if you have them). If you have the option, create your own questions, and use answers that only you would know. Don’t be like Sarah Palin (solid advice on a number of levels) and use something that can be looked up (she got her email hacked by using her High School name). If you’re forced to use canned questions, be tricky: consider answering “Friday” for favorite food, or “7129″ for your favorite pet’s name.

3. Sign up for an OpenID account. I suggest PIP from VerisignLabs because they offer a number of two-factor options (I use their soft token). Make this password a good one, and don’t base it off of any patterns you’ve used in the past. Pay special attention to your reset mechanisms (see numbers 1 and 2), and enable the two-factor option if at all possible. Enable the requirement on your OpenID account (PIP) to require that you be signed in before the incoming authentication request be granted.

4. For your sensitive accounts (I’d say this includes social networking sites in most cases) use your OpenID account wherever you can. And where you do, be sure to change your local, website-based password (which you’ll be mapping your OpenID to) to something complex. Consider using a password-generator tool for generating and managing those passwords–something like 1Password or Password Safe. You hopefully won’t have to use them much, as you’ll be using your OpenID in most cases.

These four things should enhance your online security significantly, and doing just the first two will get you a solid measure of the benefits. In an upcoming article I’ll be looking at some of the password reset mechanisms used by major services, and evaluating the strength of each. ::

Links

[ OpenID | openid.net ]

For those not familiar, OpenID is a system that allows you to sign in to multiple websites using one identity. So, rather than have a different username and password for each site, you would just sign into each one using your OpenID credentials. In addition to the convenience this offers, there’s a security benefit in that the websites you use OpenID with don’t ever see the password you entered to gain access to their site.

This works by delegating the authentication out to the OpenID provider. Essentially, OpenID-enabled websites trust OpenID providers, so when you go to a given OpenID website it redirects you to your provider, where you log in with your OpenID credentials. You are then seamlessly redirected back to the site, and your provider tells the site in the background, “This person is good to go…”

So at that point you’re authenticated to the site without it ever having seen your password, and you didn’t have to click around to multiple sites: it all happened with a single login. This is stellar, but there’s a downside.

The ‘Eggs and Baskets’ Counterargument

While the scenario above keeps websites from getting your OpenID password during legitimate website logins, many have raised a valid question:

If you are logging into all these websites with one set of credentials, doesn’t that increase the damage that can be done if your OpenID password is compromised?

Without question, the answer is yes. But that doesn’t mean necessarily that consolidating on an OpenID identity is less secure; the risk assessment is more complex than that. And that’s where the discussion gets interesting.

Tradeoffs

So, we’ve established that OpenID keeps indvidual websites from having access to your passwords. We know that is good, so we’ll mark that as a positive. We also know that putting all one’s security eggs in one password basket increases the impact of a password compromise–so that’s a negative.

We can also add the following assumptions pretty safely:

1. users tend to use poor passwords
2. users share these poor passwords across websites and services
3. therefore, a compromise at one site often leads to a compromise at others

So the question really becomes:

Which presents more risk: weak and/or similar passwords used across multiple sites that have different security measures protecting those passwords–meaning one or more is likely to be guessed and compromised, or a stronger, single OpenID that’s protected in a known and trusted way yet resents a single point of failure?

There’s also another downside to OpenID that must be factored in: the phishing threat. This is where a user thinks he/she is being redirected to log into their OpenID provider, when in fact they are being shown an attacker’s website. So, when they enter their credentials the bad guy has just stolen the password not just to one site, but to every site they use OpenID with.

But again, we don’t want to give the impression that OpenID is any more prone to phishing than any other service–it’s not. The issue isn’t an increased ease of compromise of OpenID credentials (there isn’t any), but rather the increased damage that could result if they were compromised.

But if you think that’s bad, it’s nothing compared to the danger we already face today.

The Weakest Link: Email Password Reset Mechanisms

Most people–and I dare say even most security professionals–don’t realize that the greatest vulnerability to website password security doesn’t come from having multiple passwords spread out over many sites. It actually comes from the mother of all single points of failure–the email-based password reset mechanism.

OpenID is a potential single point of failure, for some subset of online users, at some point in the future. Email, on the other hand, is a single point of failure for almost everyone–right now.

Think about it: when you forget your password, how do you reset it for the majority of the sites you use? Right, email. That means that the way into virtually all those different websites is through your email account. This leads us to a startling conclusion: the absolute most important password you have is the password to your email account.

The other backdoor into your accounts is the question-answer system whereby you are asked some questions like, “What’s the name of your favorite pet?”, or “What was the name of your first High School?” These systems constitute a major weakness in online security for the simple reason that guessing these answers is often much easier than guessing your password.

A Risk Discussion

Ok, so now we’ve laid some things out on the table: multiple weak passwords spread across sites, single points of failure, etc.–let’s look at them, and see where the risk tradeoffs lead us. Keep in mind: while I am experienced in information security this analysis definitely subject to interpretation. Follow me along in my logic and let me know if you disagree.

Many Weak Passwords vs. Single Point of Failure with OpenID

First off, I’d say that using an OpenID with a solid provider, a strong password (preferably with two-factor authentication) is going to yield an overall more secure posture for the average user than that same person using weak passwords (which are often shared) on individual websites. The key here is that if any of those passwords on those multiple sites are cracked, via whatever method, it’s likely to lead to the cracking of other sites as well.

Phishing

The phishing narrative, which is often relayed in order to dissuade people from considering OpenID, is not nearly as compelling as it appears. This is because that same attack would work today, for those same users who’d be vulnerable to an OpenID phish, if they were to be sent to a fake GMail or Yahoo! Mail login. That attack is rather trivial, and looks something like this:

1. Capture the victim’s email password via phishing
2. Use the password reset mechanism at the various sites you want to crack of theirs
3. Collect and reset those passwords from the compromised email account

In other words, this attack is nearly identical to the hypothetical OpenID single-point-of-failure (SPOF) attack, but email account phishing is a single point of failure that most everyone has, so it’s a threat right now.

So What Do We Do?

So here are the things you can do immediately to improve your online security posture:

1. Go, right now, and change your email password. Make it as complex as possible and don’t use a scheme or pattern that you’ve used in the past. Make it around 8 characters (you get diminishing returns beyond that) and make sure to use upper-case, lower-case, numbers, and at least one special character.

2. Modify your password reset questions and answers for your email account (if you have them). If you have the option, create your own questions, and use answers that only you would know. Don’t be like Sarah Palin (solid advice on a number of levels) and use something that can be looked up (she got her email hacked by using her High School name). If you’re forced to use canned questions, be tricky: consider answering “Friday” for favorite food, or “7129″ for your favorite pet’s name.

3. Sign up for an OpenID account. I suggest PIP from VerisignLabs because they offer a number of two-factor options (I use their soft token). Make this password a good one, and don’t base it off of any patterns you’ve used in the past. Pay special attention to your reset mechanisms (see numbers 1 and 2), and enable the two-factor option if at all possible. Enable the requirement on your OpenID account (PIP) to require that you be signed in before the incoming authentication request be granted.

4. For your sensitive accounts (I’d say this includes social networking sites in most cases) use your OpenID account wherever you can. And where you do, be sure to change your local, website-based password (which you’ll be mapping your OpenID to) to something complex. Consider using a password-generator tool for generating and managing those passwords–something like 1Password or Password Safe. You hopefully won’t have to use them much, as you’ll be using your OpenID in most cases.

These four things should enhance your online security significantly, and doing just the first two will get you a solid measure of the benefits. Also, if you have anything to add to this analysis, or if you think I’ve mishandled or omitted something, please do let me know in the comments. ::

Links

[ OpenID ]
[ Phishing ]

  

So you have a Facebook account, right? And you use Google Mail, right? Good, then this is for you. It’s just recently become possible for you to sign into Facebook automagically, i.e. without entering your Facebook username and password, just because you’re already signed into GMail. It’s full of win.

The wholesomeness that allows this to happen is called OpenID, which is a powerful technology that you probably want to start paying attention to. It allows you to use one online identity on many different websites, and it keeps you from having to give your password to the sites you use. Basically, it offers:

1. Convenience: faster registration on new sites: get setup in seconds
2. Simplicity: a single username and password to remember
3. Security: you don’t give websites your password

If you’re interested in more details, I just finished a piece on web auth technologies here, but the point is that OpenID is blowing up. Everyone’s getting into it: Google, Yahoo, Facebook, Verisign…everyone. The big players who aren’t there now will be soon.

Facebook + Google = OpenID

So, two of the companies that are embracing OpenID the most are Facebook and Google, but in different roles. Within the OpenID system you can be an Identity Provider (someone that websites trust to provide authenticated users), or a Relying Party (a website that has services and wants to accept users from an Identity Provider).

Well, Google is now the behemoth of Identity Providers, and Facebook is now the Grand Pubah of OpenID Relying Parties. It’s a phenomenal combination for users. In other words, Facebook is saying to the world:

We accept Google users as valid users, so if you show up to Facebook and you’re already signed into Google, you’re considered legitimate to us, and we don’t need to authenticate you further.

Setup

So here’s how to get going–in like two minutes. First, sign into Facebook normally–using your Facebook username and password–and go to your Settings. On the default, left-most tab you’ll have a section called “Linked Accounts”. Click “Change” there to add an account.

Select “Google” from the pull down menu and you’ll be asked to allow Facebook and Google to interact. Once you’ve authorized the connection your two accounts are linked! Now sign out of Facebook (but stay logged in to your Google account) and then go to the Facebook homepage. You’ll see some trickery taking place in the URL bar, and then you’ll be logged into Facebook without having to enter anything!

The way this works is just like when you enter an OpenID identity manually on a site: you’re getting transparently redirected to the OpenID provider (Google, in this case) where Facebook confirms that you’re already logged in and subsequently lets you into the site.

The only difference is, instead of you providing an OpenID through a login form, Facebook already knows where to redirect you based on the previous “Linked Accounts” step.

Notice that you can also add a number of other account links as well, including various OpenID providers, and Yahoo! My favorite, however, is Verisign PIP, because it allows me to use two-factor authentication to access my OpenID provider.

Anyway, enjoy your new transparent login to Facebook through Google, and keep your eye out for more OpenID developments around the web. ::

Exciting stuff–Facebook is rolling out full support for OpenID. Once it’s done being pushed to all users, you’ll be able to log in seamlessly to Facebook if you’re already logged into your OpenID provider.

Combine this with two-factor authentication from PIP, and things are shaping up nicely.

Oh, and they’re supporting seamless logon from Google as well. Very cool stuff. ::

[ 2009-05-19 : Confirmed--I just logged out of Facebook and re-visited the homepage while logged into my OpenID provider (with two-factor, mind you). It seamlessly logged me in. Totally sick. ]

So I just started using the PIP service from Verisign to handle my OpenID. It’s a pretty solid OpenID implementation from what I’ve seen and has the added bonus of supporting two-factor authentication via the token seen above.

But I was having a problem with delegation, which is where you can enter your own URL for your identifier (think username) when signing in to an OpenID-enabled site.

I was told to use this:

<link rel="openid.server" href="https://pip.verisignlabs.com/server/" />
<link rel="openid.delegate" href="http://username.pip.verisignlabs.com/" />
<meta http-equiv="X-XRDS-Location" content="http://pip.verisignlabs.com/user/username/yadis" />
<meta http-equiv="X-YADIS-Location" content="http://pip.verisignlabs.com/user/username/yadis" />

…but that doesn’t work when signing into certain sites, such as the Identity Gang Wiki. You can sign into it using your full PIP URL, but not using delegation with the code seen above.

So I talked to the nice folks at Verisign and was put in touch with Gary Krall. He was most helpful. We determined that my delegation code wasn’t quite what it needed to be.

He suggested the following, which worked great:

<link rel="openid.server" href="http://pip.verisignlabs.com/server" /> 
<link rel="openid.delegate" href="http://username.pip.verisignlabs.com" />
<link rel="openid2.server" href="http://pip.verisignlabs.com/server" />
<link rel="openid2.local_id" href="http://username.pip.verisignlabs.com" />
<meta http-equiv="X-XRDS-Location" content="http://pip.verisignlabs.com/user/username/yadisxrds" />

That worked for me and should for you as well, but I got curious and decided to see if I could optimize that at all. As it turns out, the OpenID 2.0 Spec located here allowed me to trim down the required code significantly:

<link rel="openid2.provider openid.server" href="http://pip.verisignlabs.com/server"/>
<link rel="openid2.local_id openid.delegate" href="http://username.pip.verisignlabs.com"/>
<meta http-equiv="X-XRDS-Location" content="http://pip.verisignlabs.com/user/username/yadisxrds" />

This also works and has the added benefit of the first two lines coming from the official spec. Plus, it’s only three lines total. The third line might still be a bit of an imperfect hack, but I couldn’t get it to work using the official recommendation.

Anyway, that last snippet should get you working with delegation and Verisign PIP with the least amount of the most compliant code possible. That is, at least until I figure out how to do the XRDS bit properly according to the 2.0 spec.

[ Edit: Please note that some sites like LiveJournal still use the 1.0 specification and will fail with the trimmed down version. I re-added the 1.0 bits and the code below is the final version I have running. ]

I just posted my first comment using OpenID (that worked). I’ve tried a few other things that use OpenID with my own server as my endpoint and I’ve had limited success. But Blogspot seems to be on top of things.