Are OpenID Identity URLs considered sensitive information? For example, is it safe to store plain text OpenID Identity URLs in a DB or whatnot?
I can't think of any reason that you shouldn't... but damn am I good at being wrong sometimes!
+2
A:
The OpenID is, basically, the User Name portion of a login. You don't need to treat it with any more security that you would any other UserID.
Donnie
2010-07-08 01:40:02
The problem is that an OpenID can be used in numerous places. As it becomes more adopted, any given ID will carry more risk, making it more valuable.
Noon Silk
2010-07-08 01:45:09
... It should be noted that user names are still a _little_ sensitive, in that one must be concerned with user name enumeration, though not to the point of requiring hashing and salting.
LeguRi
2010-07-08 01:56:38
@Richard - That's why I phrased my answer the way I did instead of saying "nah, don't worry about it any" :)
Donnie
2010-07-08 03:28:46
+3
A:
In my opinion, it should be considered secret. It's safe to store in DB's as plain text, but I wouldn't go around displaying people's OpenID's for anyone to view. There are numerous reasons, some being:
- It's not neccessary
- It (combined with the password) is the key to a lot of doors; thus it looks quite juicy to an attacker
- On individual websites you can customise your identity; if the OpenID is public on each of these, it would be possible to gather information about somebody who has tried to maintain independance on various sites
It's not critical that it remains private, however, hence the extra effort to hash (and salt/etc) it is not really neccessary. It just creates another place to maintain a bit of complexity, and an area that could go wrong. That said, if I saw it done, I wouldn't really be upset about it.
Certainly, I think it is wrong to consider an OpenID as a public bit of information.
Noon Silk
2010-07-08 01:48:36