If you or your users have blogs that are hosted on the WordPress.com web site, you need to be aware of the report last week of a security breach involving that site, which could possibly have compromised usernames and passwords. At first glance, this might seem to be a relatively low-impact issue: Sure, you don’t want someone putting up blog posts under your name – that could be embarrassing – but the bigger threat here is that so many people tend to use the same passwords for all of their online logons, including sites that contain sensitive data or financial information. If your users set their WordPress passwords to be the same as the passwords they use to log onto the company’s domain, for example, that could be a real problem.
For the time being, this reinforces the necessity of using different passwords for different web sites, but on a practical basis, it’s difficult or impossible to remember the number of passwords that many of us would need. Another system is to use a tiered set of password, where you have one password for sites that are relatively unimportant (such as logging onto sites where you simply read news and post comments), another for those that need a bit more security, and a third with a super strong password for those sites where it would catastrophic for someone else to get access.
Another solution is decentralized authentication and OpenID, as discussed in this article from the SANS Internet Storm Center: