Comments on: Dave Crooke explains how passwords are stored and used on GetActive systems http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems Confessions of a Non-Profit Executive Director Sat, 13 Mar 2010 11:46:18 -0500 http://wordpress.org/?v=abc hourly 1 By: Allan Benamer http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems/comment-page-1#comment-66496 Allan Benamer Wed, 07 Nov 2007 16:38:49 +0000 http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems#comment-66496 OpenID for your average donor??? I can imagine a lot of pushback from the development people for that. However, this last episode might convince them it's actually not a bad idea at all. For one thing, OpenID would help to lower the number of stored passwords on Convio's site thus lowering its attractiveness to potential ID thieves. Of course, they'd hit the OpenID providers instead but at least that would be a lot more distributed. Even if an OpenID provider were penetrated, it wouldn't affect your entire user community like an eCRM provider breach would. I don't think it's a bad idea but there would have to be a lot of handholding material on the site to migrate users to OpenID. OpenID for your average donor??? I can imagine a lot of pushback from the development people for that. However, this last episode might convince them it’s actually not a bad idea at all. For one thing, OpenID would help to lower the number of stored passwords on Convio’s site thus lowering its attractiveness to potential ID thieves. Of course, they’d hit the OpenID providers instead but at least that would be a lot more distributed. Even if an OpenID provider were penetrated, it wouldn’t affect your entire user community like an eCRM provider breach would.

I don’t think it’s a bad idea but there would have to be a lot of handholding material on the site to migrate users to OpenID.

]]> By: Oscar http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems/comment-page-1#comment-66491 Oscar Wed, 07 Nov 2007 16:29:41 +0000 http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems#comment-66491 An OPEN API, or agreeing on what one-way encryption method to use would have been the way to go, and shouldn't take significantly more time to implement. Maybe we tell folks to ask for OpenID support for single-sign on? An OPEN API, or agreeing on what one-way encryption method to use would have been the way to go, and shouldn’t take significantly more time to implement.

Maybe we tell folks to ask for OpenID support for single-sign on?

]]> By: Allan Benamer http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems/comment-page-1#comment-66463 Allan Benamer Wed, 07 Nov 2007 15:06:26 +0000 http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems#comment-66463 Agreed. However, I don't think it was necessarily the vendor's fault. There's a lot of demand for an "e-mail the forgotten password to the user" feature as well as for the "mass download of passwords for a single sign-on" feature. I would venture to say that those demands were generated from the marketing and fundraising departments of large nonprofits. Both features would certainly enhance ease of use for all users on a GetActive-powered site. That was probably why it was demanded of GetActive. And frankly, it's the techies that should have been the last check on those "features". Clearly, the techies should have demanded a one-way hash for password storage. Also, techies have been demanding an open API for years and that would have obviated the need for a single signon kludge like the "mass download of passwords" feature. There needs to be a balance between the fundraisers and techies in the nonprofit sector. If anything, this shows the need to have all stakeholders equally represented and given equal say when selecting a vendor and asking for new features. Agreed. However, I don’t think it was necessarily the vendor’s fault. There’s a lot of demand for an “e-mail the forgotten password to the user” feature as well as for the “mass download of passwords for a single sign-on” feature. I would venture to say that those demands were generated from the marketing and fundraising departments of large nonprofits. Both features would certainly enhance ease of use for all users on a GetActive-powered site. That was probably why it was demanded of GetActive.

And frankly, it’s the techies that should have been the last check on those “features”. Clearly, the techies should have demanded a one-way hash for password storage. Also, techies have been demanding an open API for years and that would have obviated the need for a single signon kludge like the “mass download of passwords” feature. There needs to be a balance between the fundraisers and techies in the nonprofit sector. If anything, this shows the need to have all stakeholders equally represented and given equal say when selecting a vendor and asking for new features.

]]> By: Brian http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems/comment-page-1#comment-66324 Brian Wed, 07 Nov 2007 06:53:02 +0000 http://www.nonprofittechblog.org/dave-crooke-explains-how-passwords-are-stored-and-used-on-getactive-systems#comment-66324 The point of securing passwords is not so someone can find the value of your house, it's because many people use the same passwords on many systems. Someone's donation site passoword may be the same password they use to access their e-mail, or God forbid, their banking information! The point of securing passwords is not so someone can find the value of your house, it’s because many people use the same passwords on many systems. Someone’s donation site passoword may be the same password they use to access their e-mail, or God forbid, their banking information!

]]>