Get This Blog via Email:

Powered by Squeet.com

My Links

Home
Readify
Google
Contact
Syndication

Associations

AustralianBlogs.com.au

Blog Stats

Posts - 1111
Stories - 0
Comments - 1278
Trackbacks - 477

Archives

Post Categories

Image Galleries

.NET Community

.NET Rocks!
Adelaide Dot Net Users Group
ASP.NET
AspAdvice
ASPalliance
ASPInsiders
Canberra .NET User Group
Gold Coast .NET SIG
GotDotNet
International .NET Association
Melbourne .NET User Group
MSDN Update (Australia)
Newcastle .NET User Group
Orkut
Queensland MSDN User's Group
Sydney .NET Users Group
Sydney Deep .NET User Group
The Australian Developers.NETwork
Wollongong .NET Users Group

.NET Tools

NAnt
NAntContrib
NHashcash
NProf
NUnit

Blogroll

John Bristowe
Rob Howard
Scott Guthrie
Susan Warren

Developer Resources

Distractions

Addicting Games
CollegeMix Games
FlashGames247
Flying Pig Game
Guess-the-Google
rathergood.com
Smashing Games
Squares 2
The Meatrix
Yeti Sports

Morning Ritual

ACTION Buses
Weather Radar

My Projects

NHashcash
Shrinklet

Readify Bloggers

Bill Chesnut
Chris Hewitt
Dan Green
Darren Neimke
Grant Holliday
Greg Low
Joseph Cooney
Kim Peacocke
Luke Drumm
Martin Granell
Scott Baldwin

Login

Username:

Password:

Remember Me

Be careful where you type in your Passport password . . .

Rocky and Grant’s little story about the password generator over at Gibson Research reminded me of a little episode I had recently with one of the local .NET community members.

Basically this nice chap had decided to put together a little community site that allowed users to log in and share content, but rather than force them to remember yet another username and password combination they decided allow them to type in their Passport username and password.

Ummm – okay – pass. The key detail I have left out here is that the site is not a member of the Passport network, so they essentially take your username and password and store it in their database (whether it is hashed or not is irrelevant).

No – I am not going to link to the site.

posted on Sunday, November 20, 2005 11:07 PM

Comments

# re: Be careful where you type in your Passport password . . .

Kieran Jacobsen

Yeah i think i know the site. There are a few weird uses of passport i have seen. Another i know is using the MSN Messenger API to do logins from what i can work out, looks could, but it is doggy, esp when your passport account is associated with so much these days (betas, betas,and more betas!)

Posted @ 11/20/2005 10:06 PM

# re: Be careful where you type in your Passport password . . .

Tatham Oddie

The site in question does actually use the Messenger API under the covers to validate the credentials. The problem then arises that signing in to MSN kills your other sessions, which users don't like.

Solution:

1. user provides credentials

2A. if cached (and hashed) credentials aren't in the DB, validate them against MSN. if they pass store them in the DB with an expiry date of 3 months

2B. if cached (and hashed) credentials are in the DB but don't match what the user enterred, we are optimistic and assume that they have just changed their passport password - MSN validation is retriggered

Unfortunately for the geeks of the world this isn't a good system - however for the 5,000 you members on the site it is a perfect solution.

The authentication system is currently been updated to also all basic email accounts for those who are Passport skeptics (which they should be).

Posted @ 11/24/2005 7:54 AM

# re: Be careful where you type in your Passport password . . .

Mitch Denny

I just can't take hashing in the database seriously when the credentials aren't collected via an SSL connection.

When your users are niave about security it is YOUR JOB to protect them.

Posted @ 11/24/2005 7:23 PM

# re: Be careful where you type in your Passport password . . .

RockyH

Aside from the fact that the credentials get sent to the site in clear text which is a bad thing anyway, a user should never trust their other credentials to anyone else. Especially if it is a web site that they have no way to validate or vet.

It is just like handing your credentials to someone you pass by on the street. If a site needs people to log in to use it, it needs to create site specific credentials or use the Passport system as it was intended. Any site that asks for you to enter your credentials from other systems that it will store (in any format) is just blatantly dangerous.

It doesn't matter if you're a geek or not, this is a very bad way to capture users' Passport accounts for use on the site. Use passport as it was intended, or don't use it at all.

Posted @ 11/25/2005 3:59 AM

# re: Be careful where you type in your Passport password . . .

[email protected]

http://www.deep-throut-xxx.pupp2pupp.com ## http://www.strip-sextorture.pupp2pupp.com ## http://www.bisexual-idiotene-picture.pupp2pupp.com ## http://www.onbeschrijfelijk-meisjes-ass-to-mouth.marsturberend.com ## http://www.onbeschrijfelijk-meisjes-ejaculatie.marsturberend.com ## http://www.onbeschrijfelijk-meisjes-groepssex.marsturberend.com ## http://www.masturbating-alaston-nainen.lateksi.com ## http://www.wwweroottiset-tarinat-orgasmi.lateksi.com ## http://www.peraaukon-lampimat-voileivat.lateksi.com ## http://www.ylaosaton-paska-taikuri.kolmistaan.com ## http://www.lesbisk-pieni-kondomi.kolmistaan.com ## http://www.kiinalainenhoroskooppi-ylaosaton.kolmistaan.com ## http://www.nakna-modeller-vagina.knulle-noen.com ## http://www.kjonn-eilersen-sofa.knulle-noen.com ## http://www.aylar-naken-analsex.knulle-noen.com ## http://www.slyna-snygg-stjart.knulla-nagon.com ## http://www.hon-svankade-kon.knulla-nagon.com ## http://www.destithosgamiso-porriga-tjejer.knulla-nagon.com ## http://www.onbeschrijfelijk-meisjes-atm.grote-pikken.com ## http://www.onbeschrijfelijk-meisjes-beffen.grote-pikken.com ## http://www.onbeschrijfelijk-meisjes-dronken.grote-pikken.com ##

Posted @ 3/14/2006 8:08 PM

Post a comment

Title

Name

Url

Comments

Remember Me