

OpenID Is Why I Hate The Internet - twampss
http://teddziuba.com/2008/09/openid-is-why-i-hate-the-inter.html

======
wayne
I had the same beef when I was getting into Stack Overflow. OpenID just
complicates the signup process with little tangible benefit, solving a problem
few users actually have. UI-wise, it feels little better than Microsoft
requiring a Passport account only OpenID is even more complicated since you
have many different providers to choose from. Maybe it'll be awesome in 5
years when users all understand what OpenID is about or after more sites
design kick-ass UIs around it.

~~~
kajecounterhack
I don't see why it will ever be "awesome." Any system that lets you use the
same password/username for every site is a recipe for disaster, I think. Well
the key problems I see with this whole getup is

1) Phishing? 10x Easier if everyone used Open ID. Masquerade as a provider,
phish happy.

2) If someone has their password stolen...there goes _every account they
have_. Albeit, without open id, this is sadly often the case anyway. (Not for
me, but for most people.)

3) How hard is it, really, to register for a freaking website? Name, address,
mailinator email. Done, no hassle.

IF Open ID is to be useful, it has to be able to log people in with _extreme
ease_ , otherwise the time-saved benefit of not entering these reg forms will
be eradicated by the complexity of the system itself. And obviously...openid
is NOT extremely easy. In fact, its quite the opposite. Even for a power
user...unless you're signing up for many many many many accounts, its not
helpful.

~~~
mechanical_fish
_I don't see why it will ever be "awesome."_

That's the translation of "maybe it will be awesome in five years". In web
terms, five years is practically as far away as the heat death of the
universe.

When we're trying to be polite, we geeks adopt the legendary phrasing
techniques of the Japanese: We almost never use the word _no_. Instead we say
"it's _really_ quite difficult".

------
jrockway
Every time I see an OpenID site, I just type "<http://jrock.us>" and am
instantly signed up. No username and password selection, no waiting for the
retarded e-mail confirmation e-mail... I am instantly registered for any site
by just typing a few letters. I am really unsure why people dislike OpenID. As
a website user, my time is saved. As a website developer, my time is saved. I
suppose if you never intend to use more than one website, OpenID is a waste of
time. For everyone else...

I think this guy would dislike e-mail if Facebook messaging had been invented
before it. "Everyone with their own domains? That's too confusing. How will we
ever explain it? Everyone except me is too dumb to understand!"

(As an aside, why is everyone so obsessed with making things "easy" for
"users" they've never met? People aren't as dumb as you expect. Make it work
for yourself first -- at least it will be good for one person that way. Your
unresearched assumptions are harmful.)

~~~
brianr
_People aren't as dumb as you expect._

You're right--they are about 10 times dumber. Have you been on Facebook or
MySpace, or read YouTube comments lately?

~~~
streety
What percentage of the internet using public is responsible for the type of
youtube comments you're talking about? You can't take what is the worst
display of human intelligence and hold it up as the standard or average with
which you label everyone.

Even taking the youtube commenters I suspect, most of them, would be able to
grasp openid if it stood between them and the next ROFLMAO-able video.

~~~
burp
Second sentence is nice

------
compay
I spent most of yesterday implementing openid on a site I'm developing.

The problem is not the underlying mechanism but rather the way it's been
presented on most sites. Remembering an openid url is counterintuitive for
most people - you have to explain too much to all but the most technical users
in order for them to know what's going on.

But now there has been some progress: Yahoo became an openid provider a while
back, and they allow you to log in with their openid by simply entering
"Yahoo.com," you don't even have to remember your openid URL.

I also used JanRain's ID Selector Javascript widget to make the signup form a
little more intuitive:

<http://www.idselector.com/>

So really I think openid is getting much better as it matures and its
developer community tweaks it and the tools around it. If Google and Microsoft
fully get on board (which they are promising) I think it will see pretty
widespread adoption.

~~~
MicahWedemeyer
Thanks for the idselector link. I'll be installing that on my site this
weekend :)

------
derefr
I don't quite understand this. I may not be using OpenID correctly, but when I
ask my users to login, they just pop in their OpenID URI (that is, their
username--that's what it's labeled as on my webapps, and that's what it is)
and get auto-directed through their provider's auth system, showing up as
simply a two-second redirect. When they don't have an OpenID URI yet, I send
them over to a provider _I_ trust--right to their registration form--with the
first part (their desired username) already filled in. How is this harder than
normal registration? The only difference is that, when you aren't logged into
the provider and you have to enter your password, it goes on the second login
page, rather than the first. I don't even call it an "OpenID provider" in the
FAQ, but a "security service." That's what it appears as to people: someone
I've outsourced all the cryptography and password stuff to so _I_ don't have
to be smart about it.

Those that know about OpenID can use their own providers, but those that don't
_care_ won't have to think about it; they'll just use the one I pick (which is
no worse than trusting me with their made-up-on-the-spot credentials, which is
what they'd be doing otherwise anyways.) If they _start_ caring, they can make
a new ID with a provider they choose--I fully allow for account URI changes;
it's not that hard to implement. In fact, the whole OpenID set-up for me was
two library calls (discounting the fact that I had to hack the library itself
to add in Simple Registration support, so I could automatically set users'
nicknames to their OpenID accounts' nicknames on each login. It's discountable
because I submitted a patch, so no one else will have to worry about it.)

~~~
jamongkad
I see Ted's point by trying to read your post about OpenID, even I don't get
it.

~~~
derefr
Well, I was coming at it from a developer's point of view. Here's a user
story:

1\. I don't have an account with this site. They say that if I have an account
with (any of these other OpenID-supporting sites), though, that that one would
work instead. Neato, but I don't use any of those, so:

2\. I'll click on the register link here. Ah, here's a registration page. It
doesn't have the site's logo on it, but they said that would happen--they've
outsourced this part.

3\. Registered. They gave me a link, and said "just treat it as your
username." OK; I'll try to remember it, then. "It'll also work on all those
other sites we mentioned, and more every day." Neato again; I might check some
of those out.

4\. I'm back on the site I started at, and I've already been logged in. They
got my nickname right and everything.

(days pass)

5\. "You've been logged out of the site due to inactivity." Oh, well, what was
my username again? That link thing? Oh, here it is in the autocomplete.

6\. Hey, it didn't ask me for my password! What the heck? I'm just logged in
all of the sudden. I guess that's good, then.

(weeks pass)

7\. "You've been", "inactivity", blah blah blah. Autocomplete.

8\. Oh, I'm back on that site that did the registration. _They're_ asking me
for my password. Makes sense--they're the only ones that I told that
particular detail. Put that in...

9\. Ah, I'm back on track and logged in again. Nice.

~~~
axod
Sorry but that's just way way way too confusing for most internet users.

They know how standard registration/login works. They have a browser that
remembers passwords for them. They don't need OpenID.

~~~
jrockway
How do you _know_ this is too confusing? Did you ask anyone? Did you do any
research?

Why is this confusing but e-mail isn't? If I want to send and receive e-mail,
I have to find my own provider. I also have to remember this weird string,
"me@example.com". THAT'S TOO HARD FOR THE AVERAGE USER!!11!

~~~
axod
I agree... For quite a lot of people email _IS_ too hard for them. Sometimes
takes them quite a while to understand how it works. I'd say openID is orders
of magnitude more complex and more worrying.

I tried using openID once. It directed me to google or yahoo or something to
log in... So then I had to decide if it was _really_ google or yahoo, or if it
was some phishing site.

It's a terrible idea, which is sure to fail. There is no compelling reason for
people to use it.

~~~
jrockway
How do you know you're really at news.yc when you log in?

------
maxklein
I agree completely. OpenID is utterly flawed. If ever OpenID in its current
form gains acceptance, I will eat my hat. And put the video of me eating it on
YouTube.

OpenID is just a weak idea that needs a LOT and LOT of pushing to make it
accepted. Look at the iPhone - nobody pushes you to use it, you see it, like
it and use it.

With OpenID people have to be forced to use it, because it's cumbersome and
does not offer any clear advantage.

Like I've said earlier, the real auth solution is the one where you simply
stick your USB stick into a machine, type a 4 letter pin and everything on
that machine is authenticated till you take it out.

A weak concept pushed by technologists and people who want to give talks and
earn money off this technology.

~~~
thwarted
"stick your USB stick into a machine, type a 4 letter pin and everything on
that machine is authenticated till you take it out."

This is doable now with client side certificates. No body supports getting
user creds from client site certs though. Would they be easier to understand
than OpenID? Would they be easier to understand than username and passwords?

------
sutro
OpenID and enterprise Single Sign-On counterparts like SiteMinder are trying
to solve a problem that browser-based credential vaults have rendered largely
obsolete.

~~~
mechanical_fish
Yep. I've said the same thing before: 1password for the Mac. You pay $35,
once, and suddenly every site on the web supports auto-filling of gigantic
automatically-generated strong passwords. You can stash your non-Web passwords
in its lockbox, too.

There are occasional glitches and annoyances (my pet peeve is that so many of
the sites in the world don't actually support long passwords containing
symbols). But you can fix the problems, because it's pretty obvious what
1password is doing and the whole thing is right there on your machine.

I'm sure there are similar programs for Windows, though I can't recommend one.

------
MicahWedemeyer
My site uses OpenID, and I'm surprised at how many users actually do
understand it.

It's especially true in the case of Yahoo users. All they have to do is type
in "yahoo.com" and they're in. Try and explain to me how it's easier to
remember a bunch of usernames and passwords than "yahoo.com"

And remember: There are no overarching guidelines on usernames and passwords,
so the whole "use the same one every time" almost works...but not quite. One
site requires a 6-letter password, another requires 9 with one uppercase
letter and a number, while another has no requirements whatsoever. That crap
gets frustrating as hell for me and there are several sites that I have to re-
request my password every freaking time I go.

As more and more big sites come on as providers, like MySpace and Yahoo, it
will only get better. I agree that there are issues with presenting and
explaining it to users, but the underlying premise is a good one.

~~~
MicahWedemeyer
Note: We use OpenID _as an optional alternative_ to a regular
username/password. To force users to use OpenID is pretty ridiculous.

------
shadytrees
You can pry OpenID from my dead body. It moves user account controls back to
the user. Want to delete an account? Delete access to the website rather than,
usually, having to email the administrator. Want to only log in once to see
what the website looks like? Click "Allow Once" instead of "Allow Forever."

~~~
MicahWedemeyer
I never thought about the delete access aspect. That's a good point.

Plus, since you never give a password, you don't have to worry about how
they're storing it. Plain text in the database? passwords.txt file in the
webroot? Doesn't matter because they don't have it.

------
sethg
_We have had a solution to this problem for decades: using the same God damned
username and password for every website that needs them._

This is what I do...except that every once in a while, I try creating an
account on a new site and discover that someone else has taken "sethg". Or the
site has some rules about what characters are mandatory/forbidden in a
password, and I can't use my default password. Or the site stores passwords in
the clear and gets hacked, and I have to remember everywhere I used that
default password and go change the password.

In the grand scheme of things this is only a minor irritation, but whenever I
go to a site that I only expect to visit once every six months and discover
that I have to create yet another site-specific account, I think, "I wish they
supported OpenID."

------
petercooper
Amen! I totally get OpenID but it's yet another technology with no significant
benefit to the average joe (or, rather, no benefit that outweighs the
disadvantages). Like RSS, this remains one for the power users.

------
christefano
Like Tedd Ziuba, I also didn't have an OpenID when joining Stack Overflow.
Instead of becoming annoyed with OpenID (which, admittedly, I am), I became
annoyed with Stack Overflow for requiring one.

What I did was register my own domain (callna.me) and install Drupal 6 with
the OpenID Provider module. Instant OpenID.

Anyway, his post makes him sound like an idiot. It's a good thing comments are
turned off on his post.

~~~
axod
"What I did was register my own domain (callna.me) and install Drupal 6 with
the OpenID Provider module. Instant OpenID."

So simple your grandma could do it eh?

~~~
christefano
You seem to be missing the point of both Tedd's post and my response. Tedd's
point is that it's hard to understand OpenID and implement it. My point is
that it's easy.

~~~
axod
Well the overwhelming point is that for the average user, OpenID solves
nothing, confuses them, and offers no benefit. It also does more harm than
good IMHO opening the door to countless phishing attacks.

~~~
christefano
I agree with you there. 100%.

All public OpenID providers should be using valid SSL certificates. For some
reason that is terribly, terribly wrong, some providers don't (like
<https://alwaysknownas.com>, <https://openid4u.net> and <https://openid.es>).

------
theoneill
Ted Dziuba is why I hate the Internet. I don't just mean that as a clever
reply to the title. The Internet lets everyone be heard, instead of just the
"qualified" people who used to get to publish their opinions in the print era.
For the most part that's good, but there's a small group of writers who
specialize in mean-spirited linkbait that makes me miss the editors who
filtered everything in the old days.

~~~
raganwald
"The Internet lets everyone be heard" => upmodded for truth. Everyone gets a
soapbox and teh right to yell as loudly and as profanely as they like.

"instead of just the "qualified" people who used to get to publish their
opinions in the print era" => upmodded for humour. Have you ever read anything
in a newspaper owned by Conrad Black? Or anyone else, really? Print media may
employ professional journalists.

But their "research" is flawed, they have a habit of regurgitating press
releases from their advertisers and the political parties their owners
support, and they pander to the prejudices of their readers.

Freedom of the press belongs to everyone who can afford a printing press. The
internet is the cheapest, most unencumbered and uncensored printing press in
history.

~~~
olefoo
Which is what makes it both the most endearing and the most infuriating
timesink ever.

------
extension
OpenID is not that hard to understand and will become even easier when more
social sites become providers. The concept of your Facebook profile being your
universal online identity is quite intuitive, especially to young people.

There is also a lack of best practices for consumers. When UI conventions are
established and users become accustomed to them, it won't seem so confusing.
Ideally, the creation of an OpenID associated "account" with a consumer would
happen transparently the first time the OpenID is used, if it even needs to
happen at all.

As for developers, OpenID may be more complicated to implement than
conventional user/pass but it is also more uniform. Once there are _mature_
libraries for common platforms, programmers will save a lot of time versus
implementing user/pass from scratch. (I would not consider many current ones
to be mature). Anyway, I'm not so sure OpenID is more complicated than a
_proper_ auth system with email verification and recovery.

------
alex_ndc
I wouldn't mind using OpenID if it actually worked. When I try to login to
stackoverflow, it sometimes gives me the following error message ...

"Unable to login with your OpenID provider: The remote name could not be
resolved: 'blog.lexoft.eu'"

And after some time it starts working again. I suspect this is a DNS problem,
but using OpenID means a dependence on an external system over which you have
no control.

So I like the concept, but a site like StackOverflow should give the option of
using normal user accounts as a fallback.

~~~
tjpick
using the internet means a dependence on an external system over which you
have no control. OpenID is no less reliable in that regard than the internet
in general.

------
aston
Haha. I think Ted threw in that last part about using MD5 hashes in his
password table just to piss off the people who were _really_ paying attention.

------
axod
OpenID and IPv6 seem to share the same problem really.

------
AndyKelley
This article seemed pretty weak. I didn't really see any arguments past his
strongly emotional attitude towards OpenID.

~~~
jamesbritt
Seemed pretty clear to me in how he explained the amount of extra effort he
would have to expend as a user to get started with OpenID, and as a developer
to support it. It's work.

------
t0pj
<http://idcorner.org/2007/08/22/the-problems-with-openid/>

~~~
extension
even as a non-expert, I can debunk most of those

------
geuis
Wow. Someone who can curse a lot. Read the whole thing, and all I see is
someone who's out of touch and can't express even their own vapid complaints
in a logical or consistent manner.

~~~
unalone
I find that unlike most bloggers, Ted actually is pretty smart about what
users like and don't like.

OpenID is cluttered. It takes longer to use it than it does to just reregister
every single time. Even Clickpass doesn't speed things up. It's hailed as
brilliant because it's open, but it's poorly implemented to a fault.

I argued in another thread that Facebook Connect was the technology to bet on.
It's closed, but it actually offers a one-click login. The people in the
comments thread, it seemed at the time, were evenly split into two camps:
people who had used both and agreed, and people who disagreed because FConnect
wasn't an open format.

Ted's swearing also comes across well to me (and, it would seem, to a lot of
other people). I like that he gets worked up over this. It cuts out a lot of
bullshit and sounds like he genuinely cares about the things he writes about.

~~~
aston
Just curious, what's poorly implemented about Clickpass?

~~~
thorax
I think when he said "It's hailed as brilliant because it's open, but it's
poorly implemented to a fault" he was talking about OpenID, not Clickpass
specifically.

~~~
unalone
Yep. Poor choice of words on my part.

------
brlewis
What's Clickpass doing about OpenID these days? Nothing new on their blog in 2
months.

