More secure using Google instead of drupal login?

I thought authenticating via Google using openid selector meant that no login info. needed to be present in the drupal user database. I just checked the user table in my drupal database and there is a password set for my user account although I login via google and have never set a password in drupal itself.

I suppose this auto-generated-by-openid-selector password needs to be there but my question is; how is the password constructed, is it secure and can it be used without logging in via openid options?

If I've only logged in via Google (and never using a traditional drupal username and password), can I still login via drupal using the password set by openid selector?

Best regards,
Eriksson

From a quick look around the code, it looks like the openid module calls the function user_password() in core's user.module to generate a 10-character random password.

Since the password is stored in the DB in hashed form, i.e. garbled with one-way encryption, there is no way to know what the random password was and to log in using it.

The module is generating user accounts automatically via OpenID, including passwords.

The user a/cs are full local accounts but the user doesn't see the password, and they can just log in via Google (etc) next time too. However a user could request a password reset and log in via normal Drupal process if they wanted to ...

So, no your site is not "more secure" by virtue of this, no.

You might be able to get away with automatically redirecting the user login form to Google, if that's really what you want.