

Elevator Pitch: Clickpass brings some password relief - dcurtis
http://blogs.guardian.co.uk/digitalcontent/2008/03/elevator_pitch_clickpass_bring.html

======
spolsky
As far as I can tell Clickpass only works with 6 websites. Am I missing
something? This is the mother of all chicken-and-egg problems... with no
backwards compatibility mode to deal with websites that haven't gone along
with a little two-guy startup's big scheme yet. Even Microsoft couldn't pull
that off.

Wake me up when it can handle the 200-odd passwords I keep in PasswordSafe for
200-odd websites.

~~~
brlewis
They are an OpenID provider, so yes you can use them with the 11,000 or so web
sites that support OpenID.

Obviously it's a lot more slick if you set things up their way. This is the
opposite of a chicken-and-egg problem. The fact that there are so few web
sites on clickpass while it's getting so much attention motivates implementors
to work with them. It sure motivated me.

------
huhtenberg
There is a very big and rather obvious issue of trust with a solution like
theirs. I am expected to entrust them with my passwords, essentially creating
a single point of failure for a lot of sensitive information. Sorry, can't do.
Not even if they were a spin-off of VeriSign.

The only passwords I am willing to share with them at the moment are those I
am finding at BugMeNot :)

~~~
immad
If you have different secure passwords at every single website and some how
avoid email as a single point of failure then Clickpass/OpenID might not be
the right solution for you. For everyone else its better then whats currently
out there, and we are going to implement further security measures going
forward.

~~~
huhtenberg
Email is _not_ a single point of failure as I just explained in another reply
and Internet users with rudimental sense of security is _not_ a rarity. I'm
afraid the ignorant "everyone else" crowd you are planning to cater to might
not be as big as you expect it to be.

Also you are tasking yourselves with handling _confidential information_ , so
stating that your "lips are sealed and encrypted" is not good enough. I fail
to see how this is "better then whats currently out there". Sorry to be peeing
in your punch on a launch day, but you do have a serious problem with a
security disclosure.

~~~
immad
1\. If your email servers are compromised, than it makes them a single point
of failure as most web accounts are accessible through forgotten password
procedures.

2\. Most people (66%) of users use the same password on all websites. Which is
a far worse multiple trusted party single point of failure. Which is what I
meant by "better than whats currently out there".

3\. For services that really require a significantly increased level of
security, like banks, it is very easy and likely that further security
measures that don't rely on the OpenID provider will be built in on the
websites.

4\. It is important to figure out the security issue and make a rewarding web
experience than hold up ones hands and decrease data portability and increase
friction on the web. We are hoping to help that process along and are very
open to suggestions on how we can improve that.

------
abstractbill
If you're in San Francisco today, don't forget to come to the justin.tv office
(36 Clyde Street) to see Peter talk about Clickpass. Talk starts at 12:30pm.

If you're not in SF, Peter's talk will be broadcast at
<http://www.justin.tv/hackertv>

~~~
abstractbill
Here's the archived talk:
[http://www.justin.tv/hackertv/86574/Peter_Nixey_Clickpass__O...](http://www.justin.tv/hackertv/86574/Peter_Nixey_Clickpass__OpenID_and_how_)

