Home » Security Bloggers Network » Whose credentials are they? Mine, or yours?

Whose credentials are they? Mine, or yours?

by Andy Steingruebl on August 7, 2012

I’ve been spending a bunch of time lately thinking about usernames and passwords, and other types of credentials, and concept of “ownership”.

When you get a credit card, on the back it typically says something like – “Your card is issued and serviced by XYZ Bank pursuant to a license from Visa USA. Its use is subject to the terms of your Cardmember agreement”.

The credit card isn’t really your property, it is the property of the bank, and you are just being allowed to use it for payments.

When you sign up for an account online and create a username and password, that website has a decision to make:

Those credentials belong to the website. They aren’t the users property, they are the property of the website and their use, etc. is subject entirely to the terms-of-service of that website.
Those credentials belong to the user. Their use, when the user should use them, where else the user uses them, etc. are entirely in control of the customer.

Since users often (always?) reuse credentials across websites, etc. any individual websites attitude towards user credentials is dictated a lot about how they view user credentials.

A website that would like to pretend that credential reuse doesn’t occur, or isn’t its concern, might not protect them in the same way as a website that believes users maintain a sort of property interest in those credentials, might use them at other sites, and only the user themselves can make a decision about exactly how important those credentials are.

I’m not suggesting that one is right or wrong, but that I think this attitude towards credentials and who owns them can play a major role in how websites view their rights and obligations as it relates to their users.

*** This is a Security Bloggers Network syndicated blog from Security Retentive authored by Andy Steingruebl. Read the original post at: http://securityretentive.blogspot.com/2012/08/who-credentials-are-they-mine-or-yours.html

August 7, 2012August 7, 2012 Andy Steingruebl

Whose credentials are they? Mine, or yours?

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Soniferous Aether’