Hi there,
what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...
Jan
On Sun, Oct 5, 2008 at 3:15 PM, Jan Kucera koltie@seznam.cz wrote:
what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...
I've looked at OpenID a couple of times and I'm still unsure of the benefits it really brings. Where lies the virtue of a centralized login across many sites that have nothing in common?
Sebastian
On Sun, Oct 5, 2008 at 3:23 PM, Sebastian Moleski sebmol@gmail.com wrote:
On Sun, Oct 5, 2008 at 3:15 PM, Jan Kucera koltie@seznam.cz wrote:
what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...
I've looked at OpenID a couple of times and I'm still unsure of the benefits it really brings. Where lies the virtue of a centralized login across many sites that have nothing in common?
Russian-speaking Wikipedians will enjoy it, because LiveJournal, which uses OpenID, is unbelievably popular among Russian speakers.
I can't see any important advantage except that, but i might be wrong.
On Sun, Oct 5, 2008 at 3:23 PM, Sebastian Moleski sebmol@gmail.com wrote:
On Sun, Oct 5, 2008 at 3:15 PM, Jan Kucera koltie@seznam.cz wrote:
what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...
I've looked at OpenID a couple of times and I'm still unsure of the benefits it really brings. Where lies the virtue of a centralized login across many sites that have nothing in common?
Sebastian
Instead of logging to to Wikimedia with a foreign OpenID, I would rather like to see Wikimedia become an OpenID provider, so that I can login to other sites with a .wikimedia.org OpenID :)
There is an open bug for it and also some code in SVN.
Bryan
On Sun, Oct 5, 2008 at 3:35 PM, Bryan Tong Minh bryan.tongminh@gmail.com wrote:
Instead of logging to to Wikimedia with a foreign OpenID, I would rather like to see Wikimedia become an OpenID provider, so that I can login to other sites with a .wikimedia.org OpenID :)
I understand *what* people want to do with it. What I don't understand is *why. What benefit does OpenID provide over just registering with your usual user name and password at any site? If there's an advantage, it would make sense to find some resources to implement this ability. But without some clarity on that, it's rather difficult to justify spending time on that. So what's your hope for what enabling OpenID will accomplish?
Sebastian
On Sunday 05 October 2008 15:39:29 Sebastian Moleski wrote:
On Sun, Oct 5, 2008 at 3:35 PM, Bryan Tong Minh
bryan.tongminh@gmail.com wrote:
Instead of logging to to Wikimedia with a foreign OpenID, I would rather like to see Wikimedia become an OpenID provider, so that I can login to other sites with a .wikimedia.org OpenID :)
I understand *what* people want to do with it. What I don't understand is *why. What benefit does OpenID provide over just registering with your usual user name and password at any site? If there's an
People don't like registering at websites. If Wikimedia projects would use OpenID, they would attract users they otherwise wouldn't have.
2008/10/5 Nikola Smolenski smolensk@eunet.yu:
On Sunday 05 October 2008 15:39:29 Sebastian Moleski wrote:
I understand *what* people want to do with it. What I don't understand is *why. What benefit does OpenID provide over just registering with your usual user name and password at any site? If there's an
People don't like registering at websites. If Wikimedia projects would use OpenID, they would attract users they otherwise wouldn't have.
And a lot of "anons" would be a lot more identifiable.
Creating logins on 100 websites is a pain in the backside and one of the reasons we allow anon editing - it lures people in.
- d.
Sebastian Moleski wrote:
I understand *what* people want to do with it. What I don't understand is *why. What benefit does OpenID provide over just registering with your usual user name and password at any site?
Using the same credentials on more than one site is gambling with your security. Basically anybody you share your secret password with can access all of your accounts everywhere if they want to.
With OpenID only the provider ever sees your credential. OpenID provides a method by which the provider can vouch for you having correctly provided your credentials without having to give them to the other site.
If there's an advantage, it would make sense to find some resources to implement this ability.
The module has existed for several years. The implementation cost should be fairly small.
If there's an advantage, it would make sense to find some resources to implement this ability.
The module has existed for several years. The implementation cost should be fairly small.
So let us do it. OpenID will be critical for the web, Wikimedia as one of Internets TOP10 sites should not be behind and should take the advantage of being OpenID provider. It will attract new users and make everything easier I think.
Jan
2008/10/5 Mark mark@geekhive.net
Sebastian Moleski wrote:
I understand *what* people want to do with it. What I don't understand is *why. What benefit does OpenID provide over just registering with your usual user name and password at any site?
Using the same credentials on more than one site is gambling with your security. Basically anybody you share your secret password with can access all of your accounts everywhere if they want to.
Only if you use the same password for everything - what many people do actually...because it's a PITA to keep e.g. KeePass databases synchronized across maybe two computers and a PDA.
Marco
Only if you use the same password for everything - what many people do actually...because it's a PITA to keep e.g. KeePass databases synchronized across maybe two computers and a PDA.
I've never bothered myself, but you can improve security by mangling the domain name into your password for each site. That allows you to work out the passwords rather than keep a database of them.
Which becomes a problem if sites don't allow passwords larger than 10 to 15 chars (as if they couldn't make a MD5/SHA1 out of it...) :(
Marco
2008/10/6 Thomas Dalton thomas.dalton@gmail.com
Only if you use the same password for everything - what many people do actually...because it's a PITA to keep e.g. KeePass databases
synchronized
across maybe two computers and a PDA.
I've never bothered myself, but you can improve security by mangling the domain name into your password for each site. That allows you to work out the passwords rather than keep a database of them.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Which becomes a problem if sites don't allow passwords larger than 10 to 15 chars (as if they couldn't make a MD5/SHA1 out of it...) :(
Or sites that force you to have a password between a short range of characters (6-10? Really?), or sites that don't allow special characters, or sites that only allow alpha-numberic. I have no clue why some sites force you to use less secure passwords, but it drives me insane. Password management on the web is in a terrible state.
OpenID isn't without it's share of security issues, but I think it at least solves the password issue; I can't wait until I can use my gmail OpenID everywhere ;).
V/r,
Ryan Lane
2008/10/6 Lane, Ryan Ryan.Lane@ocean.navo.navy.mil
Or sites that force you to have a password between a short range of characters (6-10? Really?), or sites that don't allow special characters, or sites that only allow alpha-numberic. I have no clue why some sites force you to use less secure passwords, but it drives me insane. Password management on the web is in a terrible state.
The worst example I ever met was a web forum which allowed maximum five characters (and my bank...for hell, why doesn't the web interface accept 20 chars long passwords - we are talking about money here!)
OpenID isn't without it's share of security issues, but I think it at least solves the password issue; I can't wait until I can use my gmail OpenID everywhere ;).
GMail has OpenID?!
Marco
OpenID isn't without it's share of security issues, but I
think it at
least solves the password issue; I can't wait until I can
use my gmail
OpenID everywhere ;).
GMail has OpenID?!
Yep, you can use google as an OpenID provider, yes. They don't advertise it, except for use on blogger. I use it on my personal blog though.
V/r,
Ryan Lane
Sounds cool...do you know if this also works for people using Google Apps?
Marco
2008/10/8 Lane, Ryan Ryan.Lane@ocean.navo.navy.mil
OpenID isn't without it's share of security issues, but I
think it at
least solves the password issue; I can't wait until I can
use my gmail
OpenID everywhere ;).
GMail has OpenID?!
Yep, you can use google as an OpenID provider, yes. They don't advertise it, except for use on blogger. I use it on my personal blog though.
V/r,
Ryan Lane
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 06.10.2008 09:16:23, Lane, Ryan wrote:
OpenID isn't without it's share of security issues, but I think it at least solves the password issue; I can't wait until I can use my gmail OpenID everywhere ;).
I wouldn't like Google to be my identity provider.
Leon
On Wed, Oct 8, 2008 at 12:05 PM, Leon Weber leon@leonweber.de wrote:
I wouldn't like Google to be my identity provider.
But evidently Ryan Lane would. Isn't it nice that OpenID lets you choose your own provider, then?
^_^ And if you're tech savvy, you can even be your own...
~Daniel Friesen (Dantman, Nadir-Seen-Fire) ~Profile/Portfolio: http://nadir-seen-fire.com -The Nadir-Point Group (http://nadir-point.com) --It's Wiki-Tools subgroup (http://wiki-tools.com) --The ElectronicMe project (http://electronic-me.org) -Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) --Animepedia (http://anime.wikia.com) --Narutopedia (http://naruto.wikia.com)
Aryeh Gregor wrote:
On Wed, Oct 8, 2008 at 12:05 PM, Leon Weber leon@leonweber.de wrote:
I wouldn't like Google to be my identity provider.
But evidently Ryan Lane would. Isn't it nice that OpenID lets you choose your own provider, then?
2008/10/6 Marco Schuster marco@harddisk.is-a-geek.org:
Which becomes a problem if sites don't allow passwords larger than 10 to 15 chars (as if they couldn't make a MD5/SHA1 out of it...) :(
How about a standard 5 character alphanumeric password concatenated with the first 5 characters of the domain name encoded with ROT13? That should be accepted by any site and is pretty secure (it would be good to include symbols in there, but some sites don't accept them, and you may want some better mangling than just ROT13).
On Mon, 2008-10-06 at 15:18 +0100, Thomas Dalton wrote:
2008/10/6 Marco Schuster marco@harddisk.is-a-geek.org:
Which becomes a problem if sites don't allow passwords larger than 10 to 15 chars (as if they couldn't make a MD5/SHA1 out of it...) :(
How about a standard 5 character alphanumeric password concatenated with the first 5 characters of the domain name encoded with ROT13? That should be accepted by any site and is pretty secure (it would be good to include symbols in there, but some sites don't accept them, and you may want some better mangling than just ROT13).
Easy enough for any modern PC to brute force if the one know you are using such scheme. 36^5 isn't that many combination...
KTC
2008/10/6 Kwan Ting Chan ktc@ktchan.info:
On Mon, 2008-10-06 at 15:18 +0100, Thomas Dalton wrote:
2008/10/6 Marco Schuster marco@harddisk.is-a-geek.org:
Which becomes a problem if sites don't allow passwords larger than 10 to 15 chars (as if they couldn't make a MD5/SHA1 out of it...) :(
How about a standard 5 character alphanumeric password concatenated with the first 5 characters of the domain name encoded with ROT13? That should be accepted by any site and is pretty secure (it would be good to include symbols in there, but some sites don't accept them, and you may want some better mangling than just ROT13).
Easy enough for any modern PC to brute force if the one know you are using such scheme. 36^5 isn't that many combination...
Yes, knowing half the password in advance will make it easier to crack, that's very true. I was working under the assumption that you don't go around telling people your method of producing passwords...
wikitech-l@lists.wikimedia.org