[ale] help - how do I log into learnstreet without ...

Jay Lozier jslozier at gmail.com
Thu Mar 28 23:22:36 EDT 2013 

On 03/28/2013 05:14 PM, David Tomaschik wrote:
> On Wed, Mar 27, 2013 at 11:01 AM, Ron Frazier (ALE) 
> <atllinuxenthinfo at techstarship.com 
> <mailto:atllinuxenthinfo at techstarship.com>> wrote:
>
>     Help!  How do I log into learnstreet without a login on google,
>     twitter, facebook, or github?  I can't figure out how to register
>     / sign in.  I don't use any of those services.
>
>     (Yes I have a gmail account that I never use that I had to set up
>     for my Android tablet.  I don't like to give that login / email to
>     anyone.)
>
>     Sincerely,
>
>     Ron
>
>
>
> I've read the rest of this thread (as of the time of this writing), 
> but I'm purposefully ignoring the debate over *how many* passwords one 
> should have.
>
> What am I going to talk about is the authentication method learnstreet 
> has apparently chosen, and I'm going to applaud them for it, very 
> strongly.
>
> So, what they are doing is *avoiding being a source of compromise for 
> any credentials.*  And how?  By not storing any credentials!  There 
> will never be an article of "XXX,000 passwords leaked from 
> LearnStreet" because they don't *HAVE* the passwords.
>
> Storing passwords correctly, providing password resets correctly, etc, 
> is at least a "medium" level of hard.  (Think it isn't?  Write an app 
> with password storage and reset and get someone to pentest it.) 
>  Letting others do your authentication for you avoids those headaches. 
>  Learnstreet is letting 4 different OAuth2 providers be their 
> credential storage.  4 providers that all have dedicated engineers to 
> work on security and authentication issues.
>
> What's the downside?  Yes, learnstreet can associate your account on 
> the site you use to sign in with.  Given, however, how almost all 
> sites require an email address to sign up, they already do that.  So, 
> if you want to avoid account association, create a new one and use it 
> for learnstreet.  Net number of accounts is the same.
>
> Anyone who cannot coherently explain why salted SHA1 still sucks for 
> password storage shouldn't be doing it, let alone all the sites that 
> use raw MD5.  (FYI, raw MD5 might as well equal plaintext for anything 
> a human can remember.)  So, getting your authentication "out of house" 
> is a *smart* move for smaller sites.
>
> [For the record: I have *dozens* of passwords spread across 2 
> different password managers.  And I still think password managers 
> suck, I just can't remember that many passwords.  I barely trust 
> either of the password managers (KeePassX and LastPass) and don't 
> trust them under a lot of use cases.]
>
> David
>
I use one password manager and it is only locally stored. My wife 
password manager currently is a pad of paper with random bits of 
gibberish on it and she is the only one who knows which bit of gibberish 
goes to which site; there are no notes for most of the bits to indicate 
which site they belong to.


-- 
Jay Lozier
jslozier at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130328/7cb5ebf7/attachment.html>

More information about the Ale mailing list