Dries, I completely agree with your decision to add OpenID to core. I'd like to see OpenID be a part of a generally improved user authentication and security story for D6. My "wipe open sessions on password-change" patch has already been committed (thanks!). Other changes I suggest: 1. Require (instead of request) a password change after one-time login (http://drupal.org/node/138805). I will finish up this patch and mark needs-review soon. 2. Add the Persistent Login (aka "Remember Me"; http://drupal.org/project/persistent_login) module to core. Persistent Login is *more secure* than long-life session cookies in addition to providing a better user experience. There are a couple non-security related issues for this module I will clean up. 3. Change the default PHP session cookie lifetime to 0 (browser lifetime only). Once Persistent Login is in place, the security risk and database overhead of long-life PHP sessions is no longer necessary. Thoughts? Thanks, Barry