Comments on: MyVidoop Tries to be Everything You Need for Login Security

By: Jason the Content Librarian » Blog Archive » Exploring OpenID and identity 2.0 resources

Wed, 10 Oct 2007 21:15:46 +0000

[...] a concept called OpenID. But I had never taken any concrete steps to learn more. But last week Web Worker Daily had a post about a very interesting new OpenID service, called Vidoop. Vidoop is an OpenID provider, so when [...]

By: Scott Blomquist » Blog Archive » The hard FAQs about Vidoop

Scott Blomquist » Blog Archive » The hard FAQs about Vidoop — Wed, 10 Oct 2007 05:36:52 +0000

[...] have been some good blog conversations lately about myVidoop.com and Vidoop Secure (over at Judi Sohn’s Web Worker Daily review of myVidoop, or Carleen Hawn’s write-up over at GigaOM for [...]

By: Wondering

Wondering — Tue, 09 Oct 2007 20:46:41 +0000

S.W.

You need to go back to school. How exactly does a password (no matter how complex) combat simple keystroke logging? automation? guessing?

-WONDERING what kind of security related authority you have especially since you sound like you are just hating.

By: S.W.

S.W. — Tue, 09 Oct 2007 07:48:35 +0000

@Judi

On an authorized computer, the login system is worthless and can be defeated by anyone in seconds. So, the whole hype about their image grid is complete bunk. They’re better off using a plain old password.

The entire security of the system relies on the “software token” (a.k.a. a cookie). Since this token is sitting on a drive and written by a user process, it’s vulnerable to being stolen malware. It’s disingenuous for them to be touting this as a protection against keyloggers when it’s just as easy for malware to grab the activation data.

By: Judi Sohn

Judi Sohn — Mon, 08 Oct 2007 22:14:35 +0000

@S.W. Perhaps, but you have to be sitting at a computer that MyVidoop has already authorized.

By: S.W.

S.W. — Mon, 08 Oct 2007 20:19:58 +0000

This login scheme can be defeated by an illiterate person clicking reload a few times. All they need to do is keep track of which image categories are consistently displayed. I broke my own password in 3 reloads.

This can be automated by scraping and classifying Vidoop’s image library.

By: Judi Sohn

Judi Sohn — Sun, 07 Oct 2007 10:51:56 +0000

Thanks, George. I don’t know why I didn’t notice that before.

I’m still enjoying MyVidoop, but one thing about the Firefox plugin is driving me crazy: The timeout is way too short. I can be reading a long article or writing an email, and MyVidoop will log me out. I understand that it can only monitor browser activity, so if I’m working in email or Word the plugin thinks I’ve left the computer. But the time has to be longer than it is.

By: links for 2007-10-06 « Zero influence

links for 2007-10-06 « Zero influence — Sat, 06 Oct 2007 00:38:32 +0000

[...] MyVidoop Tries to be Everything You Need for Login Security « Web Worker Daily Short review on Vidoop. I so love this platform. (tags: login authentication advertising transaction SSO Token) [...]

By: George Louthan

George Louthan — Fri, 05 Oct 2007 18:20:42 +0000

Thanks for the write-up! And, speaking as the person attached to the hand in that video, I always get a kick out of seeing that around.

One thing that I’d like to add is that, though only one username will autofill, changing it to a different saved account is just a matter of clicking the “username” field and selecting the one you want to use, if that makes sense.

Again, all this attention we’re getting is so exciting, and I want to thank everyone for being interested.

By: Scott Blomquist’s Online Identity, 2.0 » Blog Archive » Every week should be like this one!

Fri, 05 Oct 2007 03:53:14 +0000

[...] We’ve had a few good write-ups this week. Especially an article in Financial Week and a review of myVidoop in Web Worker Daily. [...]