Hacker News new | past | comments | ask | show | jobs | submit login

The real problem is that every single site needs its own separate password.

(Even worse are products and services where you need a separate password for different features.)

The better way to solve this is to push for better account portability. We already (kind-of) have this with websites that let you sign in with your Google or Facebook ID. (Unfortunately, these systems still have privacy problems because they share your email, or the web site fails if you don't want to share your email.)

That is not a problem at all. Whenever you have a centralized oauth service, there will be a possibility to track its user. I don't see a way how any company might guarantee that it doesn't track me so I'd believe it.

Therefore I'd prefer to have an alternative to oauth with old school account creation on each and every website with separate login/password pair.

We really should have public keys that we can give away to these sites, and then there should be a challenge/response phase that our private keys (stored safely!) are used to sign the challenge.

Of course that would mean you carrying around a physical token that needed to talk to your browser(s), phone(s) etc.

Passwords should GTFO tbh.


Though I think he will need a more convincing marketing site if he intends for people to try it out.

GRC is not known for giving much importance to marketing.

This nonsense comes up every time anything related to a password is mentioned. Google & Facebook login are evil. And people end up picking stupid Google & Facebook passwords anyway.

Every single site needing its own password is a feature, not a bug. Educate people about password managers instead.

"Yeah, let's login via FB! Oh wait, a few report-user requests, and now you cannot get anywhere, easy DoS." Social network and SSO are as opposite as you can get.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact