[ale] help - how do I log into learnstreet without ...

David Tomaschik david at systemoverlord.com
Thu Mar 28 17:14:28 EDT 2013 

On Wed, Mar 27, 2013 at 11:01 AM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:

> Help!  How do I log into learnstreet without a login on google, twitter,
> facebook, or github?  I can't figure out how to register / sign in.  I
> don't use any of those services.
>
> (Yes I have a gmail account that I never use that I had to set up for my
> Android tablet.  I don't like to give that login / email to anyone.)
>
> Sincerely,
>
> Ron
>
>
>
I've read the rest of this thread (as of the time of this writing), but I'm
purposefully ignoring the debate over *how many* passwords one should have.

What am I going to talk about is the authentication method learnstreet has
apparently chosen, and I'm going to applaud them for it, very strongly.

So, what they are doing is *avoiding being a source of compromise for any
credentials.*  And how?  By not storing any credentials!  There will never
be an article of "XXX,000 passwords leaked from LearnStreet" because they
don't *HAVE* the passwords.

Storing passwords correctly, providing password resets correctly, etc, is
at least a "medium" level of hard.  (Think it isn't?  Write an app with
password storage and reset and get someone to pentest it.)  Letting others
do your authentication for you avoids those headaches.  Learnstreet is
letting 4 different OAuth2 providers be their credential storage.  4
providers that all have dedicated engineers to work on security and
authentication issues.

What's the downside?  Yes, learnstreet can associate your account on the
site you use to sign in with.  Given, however, how almost all sites require
an email address to sign up, they already do that.  So, if you want to
avoid account association, create a new one and use it for learnstreet.
 Net number of accounts is the same.

Anyone who cannot coherently explain why salted SHA1 still sucks for
password storage shouldn't be doing it, let alone all the sites that use
raw MD5.  (FYI, raw MD5 might as well equal plaintext for anything a human
can remember.)  So, getting your authentication "out of house" is a *smart*
move for smaller sites.

[For the record: I have *dozens* of passwords spread across 2 different
password managers.  And I still think password managers suck, I just can't
remember that many passwords.  I barely trust either of the password
managers (KeePassX and LastPass) and don't trust them under a lot of use
cases.]

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130328/b6d1fbc5/attachment.html>

More information about the Ale mailing list