What truly shocked me in this story were the weak password, not of the users, but of the workers. I mean, "arthur"? Really? Personally, I use a system suggested by a fellow Slashdotter: I take a fixed password, append the website's domain, hash it and cut it to 20 chars (plenty of websites have a small upper limit on password length - incredible but true). For example, a possible password (not a real one, the domain is fake) is 9131d179c92b286a5474. Of course, this is for random websites which I don't _really_ care if someone takes over my account - never for something so important as access to a major website's admin account! As for OpenID, I think it's fine as long as I control the URL that identifies me. Right now, if someone hacks and takes control of http://andreparames.com/, I can simply unplug the server, as it's a laptop running in my bedroom. Similarly, if someone hacks myOpenID.com, I can simply change my provider in my website. But using someone else's domain as my ID is a no-go to me, and for most people that's what they'll do.

Posted using my OpenID :) @Vicentvw: Twitter uses OAuth. Facebook as also pledge to support OpenID: http://developers.facebook.com/blog/post/246 I agree with this post; which doesn't mean OpenID should be a strong authenticator, I should be able to create accounts without them being linked to my real identity.