> Security purists love to advocate that password reuse is evil, but who in the first place is going to be your attacker and for which purpose?
You don't know, that's why password reuse is evil.
Years ago when I made my Facebook account it used the same password as all my other accounts. Now that I use Facebook as an OpenID provider for pretty much any news site I would be exposing myself and my friends to all sorts of attacks if someone found hacked a phpBB forum that I frequented years ago. You could make the argument that only important sites should have unique passwords, but you, your grandmother, and I all have a different definition of important sites.
OpenID does not provide your password to each site that you use it on... It uses a token that only that site can use, for the permissions that were shown when you created the token. If someone did acquire that token, you could just change your Facebook password and the token would expire
If my Facebook password and some old website's password are the same my Facebook can be compromised. Then the attacker can run around on the net pretending to be me at any OpenID accepting website.
OpenID isn't being attacked or at fault, it's non-unique passwords.
You don't know, that's why password reuse is evil.
Years ago when I made my Facebook account it used the same password as all my other accounts. Now that I use Facebook as an OpenID provider for pretty much any news site I would be exposing myself and my friends to all sorts of attacks if someone found hacked a phpBB forum that I frequented years ago. You could make the argument that only important sites should have unique passwords, but you, your grandmother, and I all have a different definition of important sites.