Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

According to the article, the site which was compromised does not use OpenID.


There were two sites that were compromised. The first did not use OpenID; it stored an unsalted hash, which lead to the compromised password. The second compromised site -- StackOverflow -- uses OpenID. It was compromised because Jeff used the same password on both sites.

Patio11's point is that this is common user behavior, so OpenID doesn't offer any better security than its weakest point, which becomes sites not using OpenID but storing the same password as OpenID. I have to disagree, though: The alternative to OpenID is many more login/password pairs, which has exactly the same problem to a worse degree: too many passwords to remember, so the users reuse them.


StackOverflow wasn't compromised, Atwood's password was. The actual site that password is entered into is irrelevant. If this is a compromise of SO, then banks are compromised every time somebody steals a credit card.


If that credit card had access to all of the funds in the banks, then you would be right. Atwood has an administrator's account on StackOverflow, and presumably administrator powers.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: