Passpack Home   |   Already have an account? Sign In
Skip to content

Passpack’s Whitelist…It’s Unanimous

Aug. 19, 2008

We previously mentioned our thoughts on Passpack and OpenID. The feedback was almost unanimous. You as users all seemed to be opposed to the idea of having a Passpack whitelitst for OpenID providers.

Just for clarity’s sake, the idea only came into our heads because we were trying to keep consistent with level of security we like to offer Passpack users.

So What Is Our Take On the Issue Now?

We have decided that the OpenID providers that work well with Passpack will be presented on the Passpack Sign In Page.

*An important note – we have verified that logging in with a delegated name from one of these providers should be no problem.

But We Don’t Want To Limit You

As we have always stressed – your Pack is yours. Login with whichever OpenID you prefer but there are 2 things I would like to point out:

1. If you try to login to Passpack with any OpenID provider that has been submitted to PhishTank as a suspected phishing site, Passpack will warn you.

2. Even if you don’t see an icon for your preferred OpenID provider, you can still use it at your discretion by clicking the appropriate icon.

Let us know what you think!

This entry was written by Louise, filed under Passpack Security Info and tagged as , , , , . Follow any comments here with the RSS feed for this post.
Both comments and trackbacks are currently closed.

3 Comments

  1. TB
    Posted Aug. 19, 2008 at 1:25 pm | Permalink

    Isn’t that list of icons going to get HUGE eventually? How about also including an autocomplete feature as you type into the box? And is a warning good enough for a phishing site? I think it’s probably best just to block that site until it’s off the phishing list.

    Other than those minor things, this is amazing, thanks for supporting openid!

    (will there openid support for passpack offline btw?)

  2. Thor Marius K. H
    Posted Aug. 19, 2008 at 2:17 pm | Permalink

    Great to hear that you’re going to use the PhishTank API (just took a look at the comments in “A question for..”).

    Although, I still think that sites listed in phishtank shouldn’t just show a warning. A warning can “potentially” be bypassed if the user’s browser has malicious software.

    Even though it’s not likely, it’s possible, thus it is a security issue. I’d deny any sites using PhishTank, as your chance of finding legit sites on PhishTank is extremely small.

    Better safe than sorry. Especially with 100 potential passwords.

  3. Tara
    Posted Aug. 22, 2008 at 3:45 pm | Permalink

    @TB
    No, that list shouldn’t get too long. We’re only putting a select few OPs in there. The rest will be accepted, but just typed in manually.

    OpenID support for Desktop and Offline? Oh dear, I have no idea. You’re too far ahead :)

    @Thor
    We’re having some internal debate here on whether or not the PhishTank sites should be blocked completely. My vote goes to blocking… we’ll see how that goes (so far I’m loosing).

    Cheers!
    Tara

One Trackback

  1. Passpack And OpenID: Under the Hood « Passpack Blog
    « [...] end we decided that instead of a “whitelist”, the Sign In page will display icons of OpenID providers which ... »
Internet Security Blog Directory