back to article Google opens up OAuth to tackle password chores

Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year. Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" …


This topic is closed for new posts.
  1. Anonymous Coward

    Old idea googlefied

    You mean like a Windows Live ID or a Microsoft Passport. This idea has been going for yonks.

    Microsoft ahead of Google for once?

  2. Anonymous Bastard

    GMail Spambots Receive New Lease of Life

    From the linked google page:

    "The website can also mark the email address as verified without having to send a traditional "email verification" link to the user."

    In other words, accounts already compromised are given extra freedom with minimal effort from their script kiddie owners.

  3. Jamie Kitson


    You know how we're always told to use different passwords for different sites, etc? Doesn't the whole one login thing mean that not only are we using the same password for every site, but also the same user name.

    Easier to change I suppose.

  4. Anonymous Coward
    Anonymous Coward

    @Jamie Kitson

    You should use different password on different sites to stop one site's compromise giving access to all other sites.

    OpenID and equivalents remove the password - the sites no longer have it.

    Of course, if your OpenID site is compromised, you're fucked.

  5. Simon Mayes

    Only once password to compromise

    So we're now encouraged to have one set of credentials for the whole internet, what fun.

    That means that if it's compromised my whole internet life is over. Just go to my OAuth host site, check out my "authorised" sites, then pretend to be me across the whole internet with ease... Then you can sign up for new services for me as well (an not even worry about being slowed down by having to authorise my email address)... then you can use my PayPal (OAuth as well of course...) and spend my money....

    Just wait until SuperBankUK gets onboard... then you can get my salary before me... Whoo!

    I can't wait!

  6. Gene Cash Silver badge

    @ Anonymous Coward #1

    Yeah, but unlike MS passport, it probably works. Heck, I stopped using XBox Gold when MS passport wouldn't accept my email address. That particular incident was too funny for words.

  7. Anonymous Coward
    Paris Hilton

    sounds great

    Compromise one password and you get everything at once!

  8. LaeMi Qian

    One passwod to find them

    and in the darkness root* them.

    *now now children, I mean in the IT-security sense.

  9. Cyberspy
    Paris Hilton

    So what's changed?

    This is like DejaVu all over again - Microsoft created Wallet/Passport/Live ID for much the same purpose. It's widely used by Microsoft sites, but hasn'treally taken off with other sites, probably because other sites don't really trust Microsoft with shared personal data like this.

    This system may improve usability (less form filling/less emails to confirm email addresses/less passwords/usernames to remember but I cannot see how it will address the security concerns outlined in the article. Indeed, it could even make them worse.

    The problem is, at the article noted, passwords. This system doesn't remove the need for a password.

    If it is possible to work out someone's weak password, then use the same for other accounts, then this system is even worse.

    Not only does it guarantee the user name will always be the same as well as the password (currently, usernames can vary from site to site) it also gives you the chance of trying multiple accounts. One of the screen shots in the 'hybrid onboarding' link shows and example site where you have the choice of using the site's native account, or an OpenID or a YahooID or a Google ID or a ClickPass ID. That's up to 5 chances to get the username/password correct, not just one.

    Back to the drawing board, Google! Even Paris would see these flaws!

This topic is closed for new posts.

Other stories you might like