

The Road to Better Authorization - psadauskas
http://blog.theamazingrando.com/the-road-to-better-authorization

======
r00fus
The author doesn't really expound why 1password wouldn't work. It's available
for Mac/Win and integrates nicely with FF, IE(Win), Chrome and Safari(Mac).

That software is indispensable to me, as I often login to numerous dev and
test instances of webapps in addition to my shopping and forum sites... I can
now have long, secure passwords/phrases that are autogenerated. In addition,
with dropbox, I have 1password distributed on all my devices.

I avoid the Google problem he mentioned by using separate browsers (ie, FF for
work, Safari/Chrome for personal) or separate computers/devices (I only really
use Facebook on my mobile). If multiple instances of a particular browser is
desired, something like <http://fluidapp.com/> or Mozilla Prism could be used
to segregate the profiles.

In short, the author ignores existing products and is re-inventing the
process.

~~~
psadauskas
Thats a little unfair. I mentioned existing products, and I use them, so I
can't fathom where you get that I ignore them.

I've used KeePass for years, but I have to manually open it and copy/paste
passwords. I've just started using 1Password, and "integrates nicely" is not
how I would describe its interaction with Chrome. Even the 1Password site has
a list of a half-dozen bullet points of critical things the Chrome extension
can't do.

In the very first section, I explain how I'm doing the exact same thing with
multiple browsers, and that "works" (not well) until you get about 3. I have 4
AWS accounts for various projects, and remembering which browser is which is
annoying. What I want is a single button in a toolbar or menu to pick a
different account for a single website, without having to leave my preferred
browser.

I feel like you're sticking your head in the sand. "I've found workarounds to
all the problems he mentioned, so nobody should spend their time trying to
make it better!"

I don't mean to be personal, but you just skimmed out a few things to nitpick,
without really reading the article.

~~~
r00fus
Look, you don't mention Chrome as your one and only browser, and yes,
1password for Chrome isn't as integrated as for Safari/FF, but you can still
use the "CMD-\" to login quite well... what specific issues are you running
into? I've simplified your 5-step process to: 1) Click logout on site 2) CMD-
backslash 3) If I have only one account, no step 3, otherwise, choose the
account for the site I want to use from a dropdown navigable by arrows 4)
Browser back button (or keyboard equivalent) to go back one page.

Honestly, I agree that the whole issue of managing several accounts on a given
service is quite weak anywhere you go... the fact that website/services think
you should be limited to one account goes well back before the web (credit
cards nubmers per servicer, home phone lines, physical addresses)... in all of
these categories it's very easy to assume a given user will only have one
account (and it's true for 95% of the populace). Given the virtual nature of
the web, it's sad that web services fall into this trap as well (e.g. trying
to run several power e-trade pro sessions for different accounts on the same
box is an exercise in frustration).

You still haven't commented on usage of SSBs like Mozilla Prism for separate
site/account combos (apparently, Prism is the only SSB that separates the
cookie cache).

~~~
psadauskas
I don't mention that, because I don't. I use Chrome for everyday browsing, and
FF for development, because I like Firebug. I've also had to extend my FireFox
usage for a separate set of Amazon credentials. Then I got another one, and it
seems like adding another browser to the mix would be a PITA, which prompted
me to think about how it could be done better.

Whether its your 4-step process or my 5-step (which are really the same
things, so thats just semantics), wouldn't a 1-step process be much better? If
you really like clicking things, no one is stopping you from doing it your
way, so why poo-poo anybody else's attempt at making progress?

------
davito88
i've always thought password authentication is not the best way to be doing
auth for websites. certificates seem to be the right solution, but difficult
for the user to manage. (i love certs for ssh.)

~~~
psadauskas
I guess I could expand upon that in the 2nd bonus point. Certificates would
make an excellent extension to HTTP Auth, as long as end-users can self-sign,
like SSH, and not have to pay a $100/yr extortion fee to a company like
Verisign.

~~~
epc
Commercial x509 certificates are as cheap as $9.95 and there's several free
services. But they are a pain to try to explain to a typical end user on how
to configure and install in their browser.

