<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/28/2013 05:14 PM, David Tomaschik
wrote:<br>
</div>
<blockquote
cite="mid:CAOy4Vzc7XBBhcO0=Y4MW29naJMmACvEWpjEjXbqUKcSa9AAw0Q@mail.gmail.com"
type="cite">
<div dir="ltr">On Wed, Mar 27, 2013 at 11:01 AM, Ron Frazier (ALE)
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:atllinuxenthinfo@techstarship.com"
target="_blank">atllinuxenthinfo@techstarship.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Help!
How do I log into learnstreet without a login on google,
twitter, facebook, or github? I can't figure out how to
register / sign in. I don't use any of those services.<br>
<br>
(Yes I have a gmail account that I never use that I had to
set up for my Android tablet. I don't like to give that
login / email to anyone.)<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
<br>
</blockquote>
<div><br>
</div>
<div style="">I've read the rest of this thread (as of the
time of this writing), but I'm purposefully ignoring the
debate over *how many* passwords one should have.</div>
<div style="">
<br>
</div>
<div style="">What am I going to talk about is the
authentication method learnstreet has apparently chosen,
and I'm going to applaud them for it, very strongly.</div>
<div style=""><br>
</div>
<div style="">So, what they are doing is *avoiding being a
source of compromise for any credentials.* And how? By
not storing any credentials! There will never be an
article of "XXX,000 passwords leaked from LearnStreet"
because they don't *HAVE* the passwords.</div>
<div style=""><br>
</div>
<div style="">Storing passwords correctly, providing
password resets correctly, etc, is at least a "medium"
level of hard. (Think it isn't? Write an app with
password storage and reset and get someone to pentest it.)
Letting others do your authentication for you avoids
those headaches. Learnstreet is letting 4 different
OAuth2 providers be their credential storage. 4 providers
that all have dedicated engineers to work on security and
authentication issues.</div>
<div style=""><br>
</div>
<div style="">What's the downside? Yes, learnstreet can
associate your account on the site you use to sign in
with. Given, however, how almost all sites require an
email address to sign up, they already do that. So, if
you want to avoid account association, create a new one
and use it for learnstreet. Net number of accounts is the
same.</div>
<div style=""><br>
</div>
<div style="">Anyone who cannot coherently explain why
salted SHA1 still sucks for password storage shouldn't be
doing it, let alone all the sites that use raw MD5. (FYI,
raw MD5 might as well equal plaintext for anything a human
can remember.) So, getting your authentication "out of
house" is a *smart* move for smaller sites.</div>
<div style=""><br>
</div>
<div style="">[For the record: I have *dozens* of passwords
spread across 2 different password managers. And I still
think password managers suck, I just can't remember that
many passwords. I barely trust either of the password
managers (KeePassX and LastPass) and don't trust them
under a lot of use cases.]</div>
<div style=""><br>
</div>
<div style="">David</div>
</div>
</div>
</div>
<br>
</blockquote>
I use one password manager and it is only locally stored. My wife
password manager currently is a pad of paper with random bits of
gibberish on it and she is the only one who knows which bit of
gibberish goes to which site; there are no notes for most of the
bits to indicate which site they belong to.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Jay Lozier
<a class="moz-txt-link-abbreviated" href="mailto:jslozier@gmail.com">jslozier@gmail.com</a></pre>
</body>
</html>