- home
- reviews
- news
- downloads
- cnet tv
HOLIDAY HELP DESK: Broadcasting live at 1:00 p.m., PT
- log in
- join CNET
- welcome,
- my profile
- log out

Comments on: Yahoo throws weight behind OpenID standard

One of the Web's biggest names has decided to support the universal log-in protocol for its 248 million users.

Add a Comment (Log in or register) (11 Comments)

Great news

by Andy kaufman January 17, 2008 5:34 AM PST

but bad for spammers that have to identify themselves.

We really need to keep track of who is on the Internet, OpenID will do that. Yahoo can record your personal info and issue an OpenID for other web sites.

Like this Reply to this comment

I'll be nterested to see ...
by rshew January 17, 2008 7:55 AM PST: if they'll be able to reconcile my having both a Yahoo! account an an OpenID already.; Like this

Pointless
by Ushiikun January 17, 2008 6:36 AM PST: Correct me if I am mistaken, but isn't there already software you can download\purchase, that will keep track of all your passwords, and automatically input the login\password for you? This would make the most sense to me, since the information is all stored on the users' computers, with no reliance on other companies to "share" that information appropriately.; Like this Reply to this comment

???

by fatbutch January 17, 2008 10:24 AM PST

What exactly is this? If yahoo throws support behind it, doesn't that also include microsoft who has a deal with yahoo?

Like this Reply to this comment

Wh@7 !$ ThI$
by ForestRJ January 17, 2008 1:44 PM PST: Basically and in simplistic form, it is kind f like... Going to work, and being able to log in at one machine, then being able to use that same Login at any PC in the Company... But on a larger scale.

Hell, you could even expand that between home and work, your night class at the Y and so on... LOL. Seriously, if you have the right security mindset, you should be OK. Just use a password that has nothing to do with anything. The password should be no less than 8 characters long, containing upper and Lower case, numbers and 'special characters' like 9@Do)1!H.

I use no less than 10 characters and have found that changing the passwords to my more important emails sites, etc - every 14 to 30 days is a good practice. Takes a couple minutes max per site (if that), but hell; I am already checking email there.; Like this

The problem with OpenID

by MrKhaki January 17, 2008 11:37 AM PST

OpenID is a good idea and I'm glad to see a universal login finally come to popularity (after MS Passport, Liberty Alliance, etc). But, OpenID has a fatal flaw that will hinder use and acceptance; it relies on a username for the account rather than email address.

Example: There are thousands of people who use Shamrock as both the username and password. Shamrock is not unique, but email addresses are and you change change your email address at any time. If someone else comes along with a simple username/password combo and then edits the account, and possible change the password, the original account holder's account just got hijacked, by accident.

I've seen this happen with a large site I used to manage. We quickly changed to email address as the account name.

Like this Reply to this comment

Valid Point, But
by ForestRJ January 17, 2008 1:30 PM PST: As someone that works in the industry, I totally agree with 99% of what you are saying, but, given that fact that "shamrock' is a dictionary word, and any moron that uses it as a password deserves to be jacked. Would it not improve security if the user was required to make up a new stronger password?

For example $h@mR0cK is a valid and secure password in most cases (not that I would use dictionary words for anything more than a name, never a password); the other security concern is unencrypted text files with names like MYPASSSWORDS.TXT or STEALMYIDENTITY.TXT. There should be a basic skills assessment for anyone wanting to buy a PC. Something that would at minimum make sure they understood, NEVER USE DICTIONARY PASSWORD!; Like this View reply Hide reply
Processing

what?
by fleminra January 17, 2008 6:39 PM PST: I run a site that uses OpenID for all logins and I don't understand your argument. OpenID uses URIs for usernames. "Shamrock" would not be a valid OpenID username. "http://mrkhaki.myopenid.com/" or "http://openid.aol.com/mykhaki" would be a valid OpenIDs (and the shorter forms "mrkhaki.myopenid.com" and "openid.aol.com/mykhaki").

The password issue you describe is only an issue if, e.g., Yahoo! allows users to create a Yahoo! account called "shamrock" with a password of "shamrock".

The usual "one problem with OpenID" is phishing.; Like this


by GhostAlph May 14, 2008 10:35 AM PDT: Microsoft has a deal with Yahoo? Ha - hardly. M$ got pissy and walked when Yahoo wouldn't ask "how high" to Microsoft's "JUMP!"; Like this Reply to this comment

(11 Comments)

About The Social

CNET News' Caroline McCarthy is a downtown Manhattanite who believes that, despite popular opinion, the Web can actually help your social life. She's happily addicted to fun social-media tools from Twitter to Yelp to Facebook, sends an inordinate number of text messages, and has a tendency to waste time at the office reading restaurant blogs. Here, she explores all facets of the Web's gregarious side, as well as the unique tech culture in her home city of New York. (Don't call it Silicon Alley.)