

We're turning off Clickpass March 15. How to keep your HN account. - pg

We're going to stop supporting Clickpass on March 15.  If you use
Clickpass to log in to Hacker News, please<p>(1) put your email address
in your profile (no one can see it except you and us), then<p>(2) 
change your password by going to http://news.ycombinator.com/changepw.
======
KevinMS
The fact that Clickpass even exists made me realize openID was DOA.

I spent a day implementing openID for the users of my website, because I
realized, hey, what a cool idea, a URL can represent a single user on the
internet, and that user can authenticate against it universally.

The sad truth was that I could not expect a single one of my users to even
understand what the hell was going on, because for most test openID accounts I
set up on yahoo, etc, I couldn't figure out how to use them. Only the hand-
holdy sites exclusively for openid even bothered to tell me what my personal
URL was and how to use it.

That was when I realized that Clickpass only exists because the implementation
of OpenID was a total pooch screw.

If the OpenID standard had required it be simple, like the URL must follow
this template - google.com/openid/kevinms and yahoo.com/openid/kevinms, and
the user just pasted this into the box, I think it might have been a success.
But because they didn't, and they convoluted it more with the concept of your
"unique identity on the internet", you need third party services, which are
unnecessary layers that are completely confusing to the user.

~~~
justjohn
I always thought that the problem with openID is they didn't use email
addresses instead of URLs. e.g. use john@example.com and require a certain url
template for the endpoint e.g. example.com/openid/john

That way I don't have to remember another identifier and we already trust at
least part of our identity to our email provider. Not perhaps as open, but
much more approachable as a user.

~~~
xp84
Hate that idea. I don't want to have to share my email address, in fact that's
a primary reason why I always use my open ID (which is unrelated) when
possible. Providing email as a credential creates an implicit, if not
explicit, invitation "Here, spam me." This is why I'm generally against using
email as an identifier.

Other examples that all suck for this reason: Apple IDs. Windows Live ID.
Jabber.

~~~
drivebyacct2
How do people operate in the 21st Century internet treating their email
address as private? I've never been reserved about giving out my email address
and I've never had a spam or harassment problem. Ever.

~~~
lrobb
Back in "the day", users were bombarded with warnings to never give out their
email address, lest something _bad_ happen... at one point in time, if you did
post your email publicly, it would quickly become unusable as the spam tools &
regulations were _way_ behind the spammers. I'm sure there's still a huge
contingent out there afraid of putting their email into the wild.

------
Poiesis
_(no one can see it except you and us)_

Offtopic, but I used to think that too until a coworker I'd never met emailed
me using that address, warning me that apparently the proxy had cached my view
of my profile page and he was able to view it. Has this been fixed yet?

~~~
biot
You mean nobody can see it except you, YC, and the man in the middle?

Your system is setup to ask your corporate proxy to fetch unencrypted pages
for you. That proxy may be configured to make a physical printout on your
boss's printer of every page you request and there's nothing YC can do about
that beyond offering <https://news.ycombinator.com/> for you to use. That,
too, may not be sufficient if your company has its own trusted SSL cert
installed which is used to proxy and intercept everything so that all your
internet activity can be decrypted.

~~~
aprescott
<https://news.ycombinator.com/> is available! https HN links come up in Google
results (at least from memory).

------
immad
I am one of the co-founders of Clickpass and I think this is a great move.

I wrote the HN code in about 2 days and I was learning lisp/arc so it was
awful code (RTM did the openID part) and literally no one has touched
Clickpass code for 2.5 years. The fact that it still works is always
surprising to me :).

Also I think Oauth beat OpenID hands down.

~~~
dshah
Did you mean "no one has touched the code in 2.5 years?" If so, then that is
indeed, surprising.

And yes, OAuth did beat OpenID, but they're not really the same kind of thing.

~~~
immad
I know, but for all intents and purposes OAuth ended up being a super set of
OpenID.

\--- corrected years

------
petenixey
Immad's already weighed in on this but as the other Clickpass co-founder I
also support this decision.

OAuth has definitely trumped OpenID as a protocol but turning off Clickpass
shouldn't be seen as a reflection on either protocol and is simply removing a
dependency on unsupported and remotely hosted code.

Immad did an incredible job of writing code that has run and run however since
acquisition there is minimal and subsequently no support behind the codebase.

I would like to thank both PG and the users of Clickpass here who have been
such ardent supporters of it over the years. We tried hard to make it
attractive to developers and we received a lot of support for that - thank
you.

------
candeira
A suggestion: please have users input their new password twice to catch typos.

------
manuscreationis
Any particular reason for the change? (Just curious)

------
spicyj
While we're on this topic, can you add a note to the profile page that says
that email isn't publicly visible? This seems to be a common source of
confusion.

~~~
alt_
There's already a bright yellow box that informs you about that, but it only
shows when the e-mail field is empty.

~~~
spicyj
Hmm, okay. It still seems that people are often confused by this, though.

~~~
alt_
I'd lean towards a check box with 'make e-mail address visible (to registered
users)'. That way you get the implicit message that it's invisible by default
and can share it if you like.

------
dazbradbury
I would love an overview of why you're moving away from using Clickpass...

Clearly people are using it (given this message), and as many of us are web
developers, the thought process behind this decision would be potentially very
interesting.

Do you plan to move to a different system (FB Connect/Twitter/Google Identity
Toolkit), or are you happy with a standard username/password model?

Are too many people joining HN and you simply want to add some friction to the
process?!

Also, clickpass will need to update their site:

<http://www.clickpass.com/docs/where-you-can-use-clickpass>

------
rb2k_
PSA:

Putting your email address in your profile is important. I once used to be
"rb2k", but then I forgot the password I used back then and ended up as
"rb2k_". There is no way to reset the password on an account if you're not
adding an email :(

------
StavrosK
Are there any plans for BrowserID auth, perhaps?

~~~
latchkey
Yes! Please please please implement BrowserId. This is the one
authentication/login system that actually has a real fighting chance. We've
implemented it for our site (next to FB login) and we are really happy with
it.

~~~
atdt
Could you explain why? When I last looked, a crucial component wasn't specced,
meaning you had to rely on Mozilla for part of the handshake. Have things
change?

~~~
latchkey
Why what? Why we are happy with it? It is easy to implement and the people
creating it are smart. They've done a good job so far, I see no reason why it
won't be successful in the future.

The browser integration will be amazing when its ready, but until then, it is
the closest thing to FB auth without requiring FB or people to give up their
friends list or other information they are concerned about.

I'm not sure what 'crucial component' you are talking about, but we are just
using browserid.org.

------
dotBen
When a tech-audience orientated website like HN stops using OpenID, I think we
can say that OpenID is firmly dead.

Sad, I think HN was one of my last consumers of my OpenID account.

~~~
sp332
I really like using OpenID on StackExchange sites. I just click the "Google"
button and I'm logged in!

What's funny to me is how many sites rushed to be OpenID providers, but there
were not very many consumers. I tried counting once but I lost count at 15
OpenID accounts that I have from various sites. So much for single sign-on.

------
jzila
Is there a blog post associated with this decision somewhere? Is my scenario
of logging in with a Google account that uncommon?

(just FYI, until this decision, HN had the most seamless signup procedure I've
ever encountered on a website)

------
DiabloD3
I've never heard of Clickpass, what is it?

~~~
sciurus
Bringing OpenID To The Masses: Clickpass

[http://techcrunch.com/2008/03/11/clickpass-could-change-
the-...](http://techcrunch.com/2008/03/11/clickpass-could-change-the-way-you-
surf-the-web/)

------
swapsmagic
What is the reason behind stop supporting it?

------
mbq
Boo, give me OpenID back! Or at least don't do password reset via HTTP.

~~~
drivebyacct2
> Or at least don't do password reset via HTTP.

Huh?

~~~
jbarham
Use HTTPS for password reset, not (unencrypted) HTTP.

------
MichaelApproved
How will you let others know once this falls off the front page?

------
ars
Since notifo is shutting down are you going to remove that?

~~~
Splines
Is there a standard to support web callbacks (or whatever they're called)? I
wouldn't mind hooking up HN to Prowl, since that's what I did with Notifo
anyway.

------
wickedchicken
_crosses fingers_ scribd next, right?

------
vessenes
https link would be nice, unless I misunderstood what was happening there, my
password went out in the clear.

~~~
eslaught
<https://news.ycombinator.com/changepw> works just fine actually, even though
pg apparently forgot to put the 's' in the link.

------
wizard_2
I'd like it if you could still support openID. It's still very useful despite
it's flaws.

------
kfcm
It might be a good idea to make this a "sticky post", and keep it in the top
10 until March 15 (or 16th). Maybe even automagically move it up the closer we
get to March 15th.

------
AndrewHampton
I just followed the steps, but I'm getting a "Bad login." message when I try
to sign in using Chrome's incognito mode. How long before the new
username/password combo works?

~~~
pg
It should work immediately. So either you mistyped something or incognito mode
does something that breaks login.

~~~
skeletonjelly
I can't see it being the latter. I've used incognito mode to test logins for
web development and there's nothing out of the ordinary.

------
donniezazen
Something in line of clickpass is good. It saves people from making hundreds
of accounts and same passwords for many sites.

------
Drbble
Thanks. Big win for user security on the Internet.

~~~
icebraining
How so?

------
lhnn
Obviously, many people would like to know why this is being done, if not for
matters of convenience, for curiosity.

