Multiple Passwords Login: Good OR Bad_问答_开发者

I am in the quest to create the most flexible user login system I c开发者_Python百科an think of, and is looking for feed back on some ideas. (system also currently has an OpenID integration option)

I was in the process of revising one of my user login systems and the concept just hit me...

Allot of people have trouble remembering a single password, majority of people I know have a few passwords they use from site to site just so they can remember them.

Would allowing users to set multiple passwords ( can be limited, if user enters any of them will be granted passage ) be a good idea, if it was possible to be implemented in a user friendly manner? Of course the user could just choose to stick with one password and not bother with the option at all....

Obviously more allowed passwords the more likely some one is to guess but only very slightly...

Would this idea be more beneficial to users or would it just be a pain? (the idea of being able to use more than one password to get in)

What possible security issues could arise from this?

Would it be worth it for the user? (ignoring the extra coding and structuring required)

any other thoughts...

Forgot password system:

I have already implemented a "Forgot Password" system which does not involve resetting the users password but simple provides a temporary password that acts like a temporary back door so the user can get in to change a password. I would most likely do the same for this system but once the user adds a permanent password it would disable the others or something similar to that... again it would have to be set up in a user friendly manner

Personally, I would find it confusing.

Would it be more beneficial to users? Its possible. I think it may confuse many of the computer illiterate though.

Would possible security issues arise from it? Not really, other than increasing the chance of somebody gaining access to a user's account.

How would you go about implementing the necessary "Forgot Password" system? Just reset them to one computer-generated password?

I think this encourages people to reuse existing passwords, which is a bad idea. They shouldn't even consider putting in the password to their bank account, just in case they forget one they used specifically for your site.

Consider using OpenID as an alternative system. It allows people to use a single password for any group of websites they considered insignificant enough to deserve a unique, secret password. And on top of it, they never have to tell you what their password is.

You're increasing the likelihood of the site being compromised by a brute-force attack.

The whole subject of authentication is (thankfully) growing beyond the very restrictive notion of a username+password - trying to keep track of lots of different accounts is a PITA. Depending on the constraints of your system, I'd recommend considering openid as an alternative to a dedicated account.

First, I suggest to post your question as a wiki, since there is no single objective answer.

Now, IMHO, it's not a good idea to have multiple passwords. When a user forgets her password, there must be a "reset my password" page, so it's not an issue. Having multiple passwords can make things even worse: the user will forget every configured password (or at least forget what passwords she added to a password list on your website), and the reset procedure will be more confusing in this case.

The security may suffer a bit too.

Last but not least, the system you want to build is very different from the systems we currently use on other websites. It means that:

It will be confusing for the users,
It will be difficult to build and manage, requiring a different system for password checks, different database schema, a special page for passwords management, etc.

Some sites do link multiple openid accounts to one(main) account. Also because if one of your openid providers is down, then you can't login to the site. When a user logs into your system with openid give it an unique id. After that give the user the option to link another openid to that unique id. DO NOT store passwords on your database, but only openid urls so that your system is safe.