<div dir="ltr">On Wed, Mar 27, 2013 at 11:01 AM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span> wrote:<br><div class="gmail_extra">
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Help! How do I log into learnstreet without a login on google, twitter, facebook, or github? I can't figure out how to register / sign in. I don't use any of those services.<br>
<br>
(Yes I have a gmail account that I never use that I had to set up for my Android tablet. I don't like to give that login / email to anyone.)<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br><br></blockquote><div><br></div><div style>I've read the rest of this thread (as of the time of this writing), but I'm purposefully ignoring the debate over *how many* passwords one should have.</div><div style>
<br></div><div style>What am I going to talk about is the authentication method learnstreet has apparently chosen, and I'm going to applaud them for it, very strongly.</div><div style><br></div><div style>So, what they are doing is *avoiding being a source of compromise for any credentials.* And how? By not storing any credentials! There will never be an article of "XXX,000 passwords leaked from LearnStreet" because they don't *HAVE* the passwords.</div>
<div style><br></div><div style>Storing passwords correctly, providing password resets correctly, etc, is at least a "medium" level of hard. (Think it isn't? Write an app with password storage and reset and get someone to pentest it.) Letting others do your authentication for you avoids those headaches. Learnstreet is letting 4 different OAuth2 providers be their credential storage. 4 providers that all have dedicated engineers to work on security and authentication issues.</div>
<div style><br></div><div style>What's the downside? Yes, learnstreet can associate your account on the site you use to sign in with. Given, however, how almost all sites require an email address to sign up, they already do that. So, if you want to avoid account association, create a new one and use it for learnstreet. Net number of accounts is the same.</div>
<div style><br></div><div style>Anyone who cannot coherently explain why salted SHA1 still sucks for password storage shouldn't be doing it, let alone all the sites that use raw MD5. (FYI, raw MD5 might as well equal plaintext for anything a human can remember.) So, getting your authentication "out of house" is a *smart* move for smaller sites.</div>
<div style><br></div><div style>[For the record: I have *dozens* of passwords spread across 2 different password managers. And I still think password managers suck, I just can't remember that many passwords. I barely trust either of the password managers (KeePassX and LastPass) and don't trust them under a lot of use cases.]</div>
<div style><br></div><div style>David</div></div></div></div>