Linden Lab asks: Is your password secure? I ask: Do you support OpenID? - mrtopf.demrtopf.de

Linden Lab asks: Is your password secure? I ask: Do you support OpenID?

On the Second Life blog you can read the question „Is your password secure“ followed by some hints on how to make a good password choice, to not use the same password everywhere and so on.

But the real question is: Why does Second Life still does not support OpenID? And why is the SLim-Client not authenticating via OAuth? This would actually make the additional password you have to setup with Vivox unnecessary, OAuth could be directly built into the SLim-Client. One password less to remember.

Additionally:  Back then we learned that they are using MD5 at least for the credit card hash but they are using it probably also for password hashes (assuming from the Open Grid Protocol docs). MD5 should be assumed to be broken though so I wonder if they upgraded to a better algorithm like SHA1.

I also hope that all their staff has good and secure passwords because you can do much more harm in god mode which might have been what happened to Twitter.

4 Kommentare » Schreibe einen Kommentar

  1. Ah well. OpenID, like XMPP, are those kinds of things that it's impossible to understand why LL doesn't fully embrace them. Yes, sure, there are security problems — there are always security problems on any technology — but really, reinventing the wheel is so 1990s…

    As for MD5, Zero and Infinity Linden sort of discussed it on a recent Office Hours meeting: they'll be moving on to SHA1 (or possibly even SHA256) "as quickly as possible". You might have noticed that there is a new LSL function with this new 1.25 server release :)

  2. They don't embrace them because there are supposed to be problems with it. Problems though I never really understood maybe because they haven't been explained in detail. But even if there are problems with that, the OpenID and OAuth communities are all public and open and OAuth is even a community driven specification. There is nothing stopping Linden Lab to engage with these communities to address eventual shortcomings. Moreover there is twice a year an Internet Identity Workshop in Mountain View which should be possible for Linden Lab to attend, be it for listening or for finding solutions.

    As you say, reinventing everything (and OGP for instance is reinventing really everything and thus just creating just a bigger walled garden instead of opening the whole thing up to the web) is not the solution and will let Second Life stay on it's island.

    The MD5 thing is good to hear but as sad as it sounds, experience shows that "as quickly as possible" from Linden Lab means not much. The new LSL function might be a sign that it's different this time but then again adding this to LSL should be easy, adding this to your whole infrastructure is certainly not.

    (and too bad I missed the talk about MD5 and the malicious CA when being at the 25C3 in Berlin).

  3. With all the focus on money and trading, why are we not using more secure means for logging in like Security keys (fobs) like paypal uses? Those of us that have large amount of money or assets (land, stores, intellectual property) would prefer the added security!!
    https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Mar

    • Actually, when thinking about it: If Linden Lab wants people to use stronger passwords at least why not putting a password checker in place and deny easy ones? Oh, I know why, nobody would signup anymore ;-) Do they at least have those tips listed on their signup page? Haven't visited that in a while.