Edit: Bruce Schneier is smarter than me.

The number of passwords and logins web users need makes it inevitable they will re-use phrases, warned the International Telecommunications Union.

Re-using these identifiers puts people at serious risk of falling victim to identity theft, said the ITU report.

It called on regulators and businesses to find better ways for people to identify themselves to websites.

This just re-iterates what I’ve said before: “Time is ripe for distributed authentication.”

OpenID already exists, is fairly well proven to avoid these problems and has support in several programming languages and content management systems. The only barrier to overcome is getting joe internet user to understand how it works and how it benefits them.

But whatever you do, please don’t leave it up to regulators.

They were doing this when we went in June… I didn’t like it one bit.

On the one hand, I was amazed that no one really cared… On the other hand, I put my fingers in those machines just like everyone else.

There’s a battle raging on your computer right now — one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It’s the battle to determine who owns your computer.

Installing Software on your computer (or sometimes just sticking a CD in) is roughly analogous to letting someone live in your house. Once they’re invited in, they have access to anything in it while you’re not looking. They may even secretly leave unwanted gifts behind after they’re gone. Be careful about what makes its way inside.

Go now, and take your computer back.

We don’t have any evidence that the attackers obtained personal information about site users, and we believe they accessed the machine to use it to send spam. However, it is possible that the attackers acquired information site users provided to the site.

… and a little later in the email …

We recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account.

This is a great reason that a distributed authentication standard needs to be accepted and used across the web… and soon. A distributed single sign on solution would prevent things like this happening… not preventing servers from being compromised, but preventing attackers from finding usernames and passwords that are potentially (and probably) identical to the credentials used to authenticate on other sites.

Of the potential solutions I’ve seen, I think I like OpenID the best. But I would like to see people critique and suggest improvements. The solution needs to work, of course, but it should also be simple and extensible.

It’s time that we stop trusting every site we use with sensitive information.