What will the response plan be if your OpenID provider gets hacked

hackedopenid

The recent hack of the Gawker network has left a question in my mind. If I had an account at Gawker, I would protect myself by changing my passwords at all the other identity providers where I use the same or a related password.

What should I be doing when my OpenID id provider is hacked?

I use this account to log in basically everywhere and I'm not at all sure how I would go about protecting myself when this account is compromised.

Best Answer

To make changing OpenID providers easy: set up some delegate on a domain you own. You then don't have to change all your accounts, but only need to change your own HTML.

On the Stack Overflow blog, Using Your Own URL as Your OpenID describes this, but does not include the 2.0 syntax. Like for myopenid.com, for both version 1 and 2:

<link rel="openid.server openid2.provider"
  href="http://www.myopenid.com/server" />  
<link rel="openid.delegate openid2.local_id" 
  href="http://youraccount.myopenid.com/" />  
<meta http-equiv="X-XRDS-Location"  
  content="http://www.myopenid.com/xrds?username=youraccount.myopenid.com" />

(Alternatively: take full control yourself, and become your own OpenID provider.)

Best Answer

Related Solutions

What to do when your OpenID provider shuts down

Gmail – Does OpenID expose your email address to websites that use the service

Related Topic