Hacker News new | comments | ask | show | jobs | submit login

So... the problem is that it's too easy to forget your OpenID / its login.

I propose that the main reason for this is because browsers (and password-storing applications in general) have practically zero support for OpenID. It's all handled by hand. It's all in your head, and nowhere else.

Sorta reminds me of, oh... browsers before password managers. Far far more people used only a couple username/password combinations, or stored their ones in a text file somewhere. Now that managers are integrated, and secure external ones exist, it's viable to actually be safer with your logins, and many more people do so. And now I rely so heavily on my password manager, I only know a couple key points-of-entry where its data is stored - the rest of my passwords are all randomly generated.

OpenID is essentially the next step, and it's precisely the same end-user problem. Imagine if browsers supported it natively via a profile-like system; pick a profile, and every site you've associated with it is immediately logged in for you. You'd be able to handle multiple people using your computer easily - just enter a password to use that profile, and everything can be switched for you. No need to launch that password manager for every site, you sign in once and everything is automatically connected from that point.

OpenID can be significantly more user-friendly than username + password. It just isn't there yet.

I sort of think the problem is that many people have multiple OpenId providers. It sort of reduces half the reason you want to use it. Originally OpenId was a way to have one authentication for multiple services on the net. However when you have a Google Account, A Facebook account, A Twitter account... problems start happening. Which one did you use to login to this service last time?

Part of the problem I think is that the providers don't act as consumers also. If I originally had an open id somewhere then why can't I use it for facebook, Google, Twitter, and whatever else. Each "Provider" that offers a service to me which I want forces me to get yet another OpenId. At this point I think I have rougly 4 different OpenId providers and with Google I have like 4 different id's. This gets unwieldy quick. The technology had promise but the way it was rolled out and adopted by various folks caused it to suck a little.

Now I need an OpenId manager in my browser like I needed a password manager before. How is this better?

"Now I need an OpenId manager in my browser like I needed a password manager before. How is this better?"

What you really need is delegation. In a webpage, place in the <head>:

    <link rel="openid.server" href="openID server URL" />
    <link rel="openid.delegate" href="openID server" />
with appropriate values.

My OpenID is "ht​tp://jerf.org". I delegate that to AOL right now, but I can change that to any provider transparently. (The ickiness of using AOL is mitigated by the trivial way in which I can change it; which of the corporate monstrosities auths me isn't very important, and of the various accounts I have they were the first to be a provider.)

Having this implemented by your metaphorical grandmother is obviously a problem.

Edit: And also, I'd observe that this solves your personal OpenID problem. It doesn't do a thing to solve the problem for a site trying to use OpenID, such as the original article author, because telling everyone to delegate like this is a boil-the-ocean solution in the context of cutting down support calls.

This will likely appeal to the identi.ca and diaspora crowd, but will not appeal to the facebook crowd.

there are two problems with OpenID.

  #1 the UX has been killed by committee more than once. ( i should know I worked on it. )
  #2 OpenID does not offer value for one, let alone many OpenIDs.
Whether we like it or not. We need to get activitystrea.ms and the browser vendors to probably make some collective bets on identity.

Password managers make some bets on input fields that use the password type to manage login pairs, but I think we need to take this further.

I think we need to start having browsers connect cookies and openid redirect flows to login pairs. I think we can observe openid login flows in the browser and... remember them! I think we can link that to a browser profile, and I think we can pair that to a cookie set. I think smart-identity-browsers can suggest OpenIDs and make OpenID NASCAR obsolete, or at-least auto create a popular field of buttons, rather than making that site specific.

This is probably not enough space to discuss in detail how I think the tech can mature. but i think it's obvious that the future of the web is mobile, and is identity based. these interfaces don't need to get a little bit simpler, they need to get a lot simpler. they need to work on mobile phones.

a lot of the work i have done on OpenID comes to naught when you try to copy that experience for mobile phones.

I find myself uncertain if you are actually replying to me, and if so, if you understand what I mean by delegation. I thought more people knew about this, but in the past few hours I continue to see a lot of comments that leads me to believe this is not common knowledge and that not everybody understood what delegation is.

When I give my open ID to a site (usually blogger.com to make a comment), I actually type in "jerf.org" after the http:// , with nothing else. I do not have a provider set up, which I looked into but is a pain in the bum, and, as it turns out, entirely unnecessary. Instead, the OpenID consumer hits the page I gave (my domain's front page, as it turns out), finds those tags, redirects to "whatever those tags say today", and then I log in that way. When I have successfully logged in with the delegated service, then I have successfully authenticated myself as "ht​tp://jerf.org". I say "whatever those tags say today" because if I change those tags on that page to delegate to Google, suddenly I can log in with Google, but I will still be authenticated as "ht​tp://jerf.org". If AOL, my current delegate, decides to get out of the OpenID business entirely, one minute with vim on my website allows me to move it somewhere else, again, all along, I'm "ht​tp://jerf.org". This layer of indirection solved all the problems I had with the idea.

I don't have "many" OpenIDs, the phrase of yours that led me to wonder if you (and perhaps others) aren't following me here. I have one: ht​tp://jerf.org. Of course like everybody else I can't even count the number of accounts I have with various OpenID providers, but I don't care; ht​tp://jerf.org is my OpenID, and will be until I no longer have the domain.

I also don't know why it would "appeal" to one of the crowds you listed, but not others. The crowd it "appeals" to is the crowd that has control over a website that includes the ability to set arbitrary tags into the heading of a webpage, rather than a pre-canned HTML template that can't be touched. Unfortunately, rather fewer people have websites with that amount of control than I'd like.

ht​tp://jerf.org is my OpenID, and will be until I no longer have the domain.

This is precisely my problem. I don't want to commit to maintaining a webpage at a given domain with a given set of headers for the rest of my life.

Imagine if OpenID had been designed in 1991. Perhaps it would have been called "GopherID". And I might still have my GopherID from 1991, provided I had kept up the Gopher server that was delegating it, and could find another (trustworthy!) person on this Earth who would bother to operate a reliable GopherID server eighteen years after it mattered.

You see the problem? The web is barely old enough to vote. Any identity that ties me to some web standard of 2010 is as ephemeral as the morning dew, eight-track tapes, and the Commodore 64 floppy disk.

Meanwhile, I just visited Slashdot for the first time in years. My user ID is only three digits, but my login still works. It's a username and a password, it's built out of text, the protocol is obvious, and it's going to work as long as Slashdot works.

and it's going to work as long as Slashdot works

This would be true as well if you'd use OpenID. OpenID dies when HTTP web services die, but then Slashdot will die, too.

"death by committee" is like "death by one thousand knives" i know what a delegated identity is. and if you can show me 10% of facebook users that care, i am interested.

the problem is that so many people want simple these days. in the beginning the internet was for geeks. today the internet needs to be for everyone.

my really smart friends in social games, always get frustrated, because they can never create a game that is fun for them. rather they need to create games for the masses. many of us still enjoy the complexity of supreme commander or civ5, but instead design things like mobsters and farm-ville because that is what people ( on average ) can handle.

OpenID has been designed by way to many smart people for their own needs and does not often times take the simple shortcut. there are people from government institutions at these committee meetings trying to leverage OpenID into a government ready spec.

the OpenID groups should really segment along a few different paths and focus on unique consumer segments like social, fiscal, and real identity.

the other problem is that RP ( relying parties ) otherwise known as the 3rd party site don't like OpenIDs because there is not a guaranteed messaging protocol for communication between end users and the OpenID. RPs have been asking for email address as part of the registration process, and OpenID providers always stand on the legs of privacy when asked for this, but the reality is that relieving email address leaves Providers vulnerable as their motives for OpenID are around engagement numbers.

There are political challenges to overcome with OpenID before it can move forwards. I think that is why Facebook is walking over everyone here. They don't have to deal with those issues.

> I don't have "many" OpenID... I have one: ht​tp://jerf.org

That is itself a problem. Sites and advertisers don't even need sneaky cookie tricks to track you across all the sites you use: you're doing it for them. I really don't want one single identity token for every site on the Internet.

Only when I actually log in, which is... uhhhh... damn near never, actually. The situation has marginally improved, but it's still "everyone" (big and important) wants to be a provider, "nobody" is willing to be a consumer.

Believe me, I'm not claiming OpenID is teh awesome. I'm just saying that certain criticisms can be mitigated if you are in control of a web page. As claims go, this isn't very strong.

"If AOL, my current delegate, decides to get out of the OpenID business entirely, one minute with vim on my website allows me to move it somewhere else, again, all along,"

I doubt that. "http://jerf.org is a string that you type into the OpenID box ("endpoint URL"?), not the ID itself. I use Google Apps and set my site up using an X-XRDS-Location header so I can type in "http://id.example.com into the box, but the identity the site gets is something like "http://example.com/openid?id=123456789. This identity will probably change if I switch to using AOL.

So, I just tried this, and it seems the answer is "it depends". AOL actually let me appear as "jerf.org", so it is not unreasonable that I thought this was the case. When I switched to using Yahoo, my OpenID got translated back to their idea of my id when I used it to log in. And I started flipping out, but decided to verify with another source before screaming too much. So I signed up for myOpenID and delegated to them, and once again I could appear as "jerf.org". I verified this using StackOverflow; with Yahoo I ended up on one account consistently, but with myOpenID and AOL I ended up on the "jerf.org" account regardless. I also verified StackOverflow was actually hitting my site on each request and not just caching my page.

So unless I screwed up, it is possible for it to work the way I describe, and it is possible for it to work the way you describe, depending. I'm calmed back down, but in general that's pretty worthless. I can not imagine why it should not always work the way I describe, it's the entire bloody point. Providers shouldn't even be able to screw me over that way.

You have been bamboozled by OpenID lingo. Don't worry, it happens to the best of us. jerf.org is a User-Supplied Identifier which the Relying Party will perform Discovery on to resolve to an Endpoint URL at the OpenID Provider where the Claimed Identifier, which is possibly an OP-Local Identifier, will be resolved to an Identifier. None of these words mean what you think they mean. Identifiers look like URLs, but aren't, except when they are.

Have I mentioned recently that implementing OpenID is a source of endless amusement?

Ugh. I take it that the lesson to take from all this is "stay away". Got it.

Not if the provider implements delegation properly. The identity string returned should be http://jerf.org in this case.

The catch, however, is that many providers screw the identity up. For example I set up a page at http://foo.com with necessary headers to delegate to my Google Account. Using the OpenID support on App Engine, I get the federated identity as http://foo.com/openid?id=[SOME RANDOM DIGITS] instead.

The idea of OpenID and delegation is awesome. In reality the millions different implementations fked up the whole thing, not even to mention the control and reliability issues.

Oh by the way, one more thing: if you supply https://foo.com instead of http://foo.com to App Engine you'll get completely different identity back as a result. This is just pure fun.

From what I remember of my OpenID provider search a few months ago, not all providers have chosen to support delegation. Google doesn't support it, but myOpenID does (I went with the latter, then never used it again). But it's not a "screw up", it's a (questionable) policy decision.

I actually tried to set that up once and ran into some kind of trouble. I don't remember what exactly. It was a while ago though so it's probably gotten considerably easier to do. But your right this isn't a solution for Grandma or even Mom at this point.

Yep, this is my problem, not that I actually forgot all the logins to my individual OpenID provider accounts and variants (but when that happens once in a while, that's also a clusterfuck...). I have one for my domain with myOpenID, I have at least one each through google, yahoo, facebook, twitter, livejournal... every site offering those logins uses any combination of all of those, and I can't remember which OpenID I need to use with the site.

This is why I can't even remember the last time I posted on Stack Overflow. I once had to email Jeff Atwood because I had managed to create two accounts with two different identities (this was long ago, before you were able to associate multiple OpenID identities to a single user), and to this day I still don't remember which ones work with the user that has the highest reputation. So I don't even bother logging in most of the time, and choose a random login every time I do.

OpenID's biggest end-user benefit was supposed to cut down on the number of disparate accounts people tend to have across multiple websites, and it became moot when everyone and their mother decided that they needed to be the be-all end-all of OpenID providers by turning your login details and identity with that website into an OpenID or OpenID type identity.

Exactly. Each of the big players has incentive to be an OpenID provider (control everyone's logins!) but not be an OpenID receiver (accept AOL's logins? are you kidding?).

Nobody at OpenId seems to have quite thought through the incentives here. Identification is not in fact a technical problem. That's trivial. It's a business/social problem.

The problem is, "How can I make multi-billion dollar companies want to outsource identification to someone else, given that they're reasonably bright and given that every time in the past that someone else has inserted themselves into another's business, things have gone badly for the insertee?"

Businesses look at situations where companies like Ticketmaster and OpenTable have successfully inserted themselves between pre-existing businesses and their customers, and siphoned off a lot of the value of those customers. Then they say, "Gee, maybe I should learn from that and not let someone do that to me." And then the OpenID geeks come calling saying they've got a great solution where all you have to do is outsource your accounts to another multi-billion dollar company and everything will be cool, that other company TOTALLY won't steal your business or anything.

That's not serious, is it?

The real point is, that you cannot be sure that you can identify _your customers_. The providers change, you greet them with "Hey, welcome. What do you want to buy here?" instead of saying "Hey, Groxx. Glad you are back. Feel free to use X, Y and Z that you gave us money for in the past".

I really like OpenID, but insights like this seriously scare me. And they are _not_ customer friendly when they _don't_ work. Understand that you have no control over that "when" though - you rely on someone else to allow your paying customers to use your (purchased) service.

That's the same situation as we have right now, where their login or their email are identical points of failure. Forget one / lose access to your email, and you lose the ability to get back in, so people make a new account. It's not like having usernames and passwords is preventing this.

As to providers changing, that's where you allow multiple OpenIDs per person, as fallbacks / alternate ways of signing in. So long as they control one, they can control all. It's not OpenID's fault few sites do this, it's the epic adherence to preferring username + password columns in databases instead of a separate table which would allow for more than one.

... except logins and emails are known, understood points of failure that tend to fail closed.

If I forget my login I can't access the website, but I can usually go to the website and play email bingo until I hit the one I used.

If my email access goes down, I still can't access the website, but I know why and have bigger problems.

If I log in with the wrong openid provider ... provider bingo is the ideal case. Otherwise I get in but it looks like my stuff on the website I'm logging into got wiped out. Obviously to most people here it would look more like they used the wrong provider, but that only qualifies openid as a solution for techies.

That's a much more serious customer problem from an end-user standpoint. Telling people they can register multiple providers with their account is a band-aid on a bullet wound.

And that's just when things are working as intended. Idiot providers, bad implementations, openid servers going down, all of these things add even more potential to screw things up for you.

>Otherwise I get in but it looks like my stuff on the website I'm logging into got wiped out.

What? No. Only if the site presumes a brand-new OpenID means a brand-new account, and automatically creates it for you. And it'll probably be asking you for a username and email - at which point it likely will throw a database constraint, telling you you can't use that username or email. And the vast majority I've encountered ask you if you want to create an account under that OpenID.

And this is also no different than, say, Instapaper, where just entering an email / username offers to create a new one. It could easily do so automatically. What if you forgot you had one under a different email? You're just conflating human forgetfulness and poor website design with inherent problems of OpenID which don't really exist.

A fair number of sites allow you to register multiple emails. Is this not a band-aid to the bullet wound which email accounts are?

On the flip side, we have idiot websites storing passwords in clear-text, or hashed without salting, all of which means if they get hacked they get thousands of accounts, likely thousands of email accounts as well (as many / enough use the same password). With OpenID, they'll just get your public OpenID URL - whoop-de-doo.

In fact, I'd say that the (rarely used) adequate security measures to protect your password are band-aids on the bad implementation that is username-and-password.

Yeah, still not buying it. There's no way in hell I would think it's good to put a third party between my site and my users when that party can go down or change the only identifier I have.

I understand password pain, but so does everyone else. The song and dance is annoying, but known. I'd rather spend the time dealing with an explosion of openid misimplementations adding useful features that don't carry a risk of pissing off my users.

>There's no way in hell I would think it's good to put a third party between my site and my users when that party can go down or change the only identifier I have.

Like... email addresses? Or do you not think it's good to provide a "forgot password" link which emails a reset mechanism?

Any other means of re-gaining access, like "secret questions", work for both lost email accounts and OpenID, and any site which asks for an email address to mail "forgot"-like requests to has all the capabilities of any system which has an email address.

So your complaint is that OpenID providers aren't mature enough to be reliable enough to last long enough to be worthwhile. Providers like Google, Verisign, Yahoo, and many others of the internet / security / email giants.

If they've made stupid decisions in the past, that's an entirely different problem. Email providers can and do and have made plenty of stupid decisions - one of mine only allows login via plain-text username and password over POP. Two of my older ones went belly-up. One got purchased, and transitioned everyone over to a new domain name as they phased out the old one. How is this different?

> Like... email addresses? Or do you not think it's good to provide a "forgot password" link which emails a reset mechanism?

Yeah, but those are for retrieving an account, not for day-to-day logins. I'm only dealing with trouble when someone's email provider goes down and they can't remember their password. With openid I'm in trouble when the provider goes down period.

> So your complaint is that OpenID providers aren't mature enough to be reliable enough to last long enough to be worthwhile. Providers like Google, Verisign, Yahoo, and many others of the internet / security / email giants.

Being big giants doesn't make them awesome at everything they attempt. Half of this article was griping about Google changing tokens and provider urls.

Also, with openid I don't get to pick who I trust to do their job correctly. At the least I shouldn't, if I'm implementing it properly. Maybe if I could I would decide that Google, Verisign and Yahoo can do it well, but I'd rather not depend on MomAndPopsIDShop to hold it together. I don't really get that choice, and instead my user experience is up to them holding up their end of the deal.

> Email providers can and do and have made plenty of stupid decisions - one of mine only allows login via plain-text username and password over POP.

This applies equally to openid. A dumb implementation can be just about as insecure.

> Two of my older ones went belly-up. One got purchased, and transitioned everyone over to a new domain name as they phased out the old one. How is this different?

Well, for starters it's a known problem. Also you know the token I'm using to uniquely identify your account, it's the same email that's now become a problem. But if tomorrow your provider decides that, instead of "5AHGFOA12389E" you are "ABNA489AKJ12" ... we're both kind of stuck. You only know your openid, and I only really know the token that just changed. Sure I can ask for even more information from you, but there's a limit on how many hoops I'm willing to jump through before admitting that openid is a bad business decision.

>Also, with openid I don't get to pick who I trust to do their job correctly.

That's probably where we're disagreeing. This is precisely why I like OpenID: it takes logins out of your / site owners' hands, where it's always been, and where it's been abused to no end, and puts it in mine, where I can actually make a few decisions.

What advantage does that provide? I'm not following the whole "takes logins out of site owners hands" logic. It seems like, yes, the site owner doesn't get to see your password but that's about it. On the otherhand, you're sharing a huge amount of information with your OpenID provider about who you are and where you go.

Unless your OpenID provider is you. Which it can be. Which is not possible with username+password.

It's also about not having to trust the site owner to not misuse your password or release it or get hacked, which has happened before (though not to me). Loads of people use the same password on their email as they do on website-X, however stupid that may be. This is essentially giving website-X access to your entire identity, as nearly everything is keyed around your email account. Identity theft, here we come; already a tens-of-billions-of-dollars industry in USA alone.

Instead, you choose who you want to trust with that information. Your OpenID provider. And you restrict your logins to 1, instead of N, making it far simpler to use a more secure login for even the most computer-inept.

> Unless your OpenID provider is you... which is not possible with username+password.

Actually, with the username+password I'm always the provider. I can give whatever information I want.

I don't disagree with what you say about website and identity -- but I think OpenID is the wrong solution to the problem. This should be embedded into the browser with strong cryptography between you and the website and no 3rd party should ever need to be involved. If I want to invent a new throw-away identity, it should be a simple click away.

Being secure with a username+password is pretty much as easy or as difficult as using OpenID. If the goal is to secure the computer-inept, requiring them to associate a url with their identity is a failure even before you get through the rest of the process.

I can understand that opinion, but having the user's ability to access your site be in anyone else's hands is a scary thing. Especially when it can create even nastier customer service issues than a lost password.

I'm not really sure what the solution here is, because as a developer I would like to see openid work. Right now it's just hard to argue for.

I honestly doubt there can be one. A system has to favor one or the other, as giving both equal access opens it to all possible abuse from both sides, rather than just one.

As to the customer service issues, if they're having a problem on your site, they're having a problem on every site if they're using OpenID, because their ID has changed everywhere. It's far easier to diagnose the problem there, as it lies wholly (and provably) with their provider, and not with you.

More of a headache for you, potentially, people are nuts when they don't get what they want. But at least you have a provable "out" and they have a single place to go for a solution (if there can be one).

The problem is less that it's easy to forget - it's more that it's easier to completely lose someone. For instance, you forget your login to HN and you can go through a reminder process - pretty simple. You forget your Open ID you're in a world of pain.

Moreover most sites can't help you - the URLs contain (usually) no information about you as a person. So you come to me and say "I don't know my login" or worse: "My Open ID provider is gone".

All I can do is shrug. The it becomes a matter of sleuthing: IP addresses, PayPal transactions (if you use them)... and so on.

I agree it can be better - but it's technology that when mixed with users is a nightmare.

Same as email accounts now; lose one, or it goes under, and you're in a world of pain because those handy "forgot password" links are tied to that. Moreover, most sites can't help you - the emails contain (usually) no information about you as a person.

All of which is only solved by alternate means of identification. ie, GMail lets you specify a cell phone, many other sites have pseudo-personal questions you have to guess to perform a reset without a password / email, etc. What reason is there that a site can't ask a series of questions to re-point an account to a new OpenID?

None of this is any different. At all. The only difference is in managing one OpenID vs widely varying logins on every site on the internet.

> lose one, or it goes under, and you're in a world of pain because those handy "forgot password" links are tied to that.

That requires two failures: you forgot your username/password and you lost your email account. That's not the same as forgetting your OpenID or having the provider go down. If you've got username/password, then email is the alternative means of identification. One of the main points of OpenID is avoid giving alternative means of identification, such as an email address.

No. Lose your email, and you lose your account. Your sign-up email is probably in there, and the new "owners" can go click the "forgot password" link.

You don't need it, if you remember your login and password then you login and change your email. You're not going to sign up with an email that you've lost.

You seem to be under the mistaken assumption that this sort of thing will a) inform you you have lost your email account, and b) will only occur after you've noticed.

Give me your email account. I can nearly guarantee you I can have 5 sites with new passwords inside 5 minutes. And that's by hand - anyone serious about this could write a couple scripts to grab dozens of the major sites in seconds.

I'm under no such impression, I'm just pointing out the obvious flaw in your previous post.

If you get to stipulate browser support, you can do much more interesting things than OpenID. Not requiring browser support to be viable is part of the point of OpenID and OAuth.

I think that's what the OP is lamenting: That we've traded one problem (remembering which screen name/e-mail address and password you used to log in) with another one (remembering which OpenID you used to sign up, and dealing with the technical repercussions therein), while there is a seemingly superior solution out there (let the browser(s) handle it).

On the other hand, authenticating users by their browser is like authenticating passengers by the car they're in.

Where am I "stipulating" browser support? I'm saying it could be easier with browser support. Easy enough to the point where people would prefer it, causing everything to support it instead of the anemic few we have now.

This is one of those areas where people improving security frequently seem to fail to comprehend human behavior. For OpenID to gain critical mass, the average person has to be able to use it simply and correctly enough that they will make the switch. And that implies incredible simplicity. OpenID has the capability, but it seems implementers go out of their way to make the process anything but simple, so people get confused and leave for a lock-in solution like Facebook that has a single button to press.

You get people to improve their habits by being easier than their old habits, not by telling them their old habits are dangerous and look, here's a better option. If that worked, people wouldn't be drinking and smoking so much.

Actually, it seems to me the bigger problem is that some providers just decide to change who they say you are, and those providers (Google) just happen to be the biggest because you're telling users 'just use your google login here'. They don't know anything about openID. Sure, users having multiple OpenIDs is an issue when they forget which they used, but even if this was solved, the other issue seems to be much worse.

A provider changing their URL: totally agree, huge problem. But that's on the same scale as your email provider changing their URL. Problematic and rare. And it's something nothing can adequately deal with - your "forgot password" links won't work if your email changes domain names. It's also an abnormality that can't be securely accounted for, because otherwise MITMs could just hijack requests and send it to their own servers with no complaints.

Forgetting ID/Password is not the only problem with OpenId. The real problem I see is that, you're not only authenticated with your H/Y/GMail user name, but that you have to be authenticated on their servers and open a valid session there without you being aware that it's not closed after you login to the target OpenId site. You still have that open session even if you log out of the target site (or a go-between like ClickPass).

For OpenID to work as designed, the user should not have multiple ones and always use the same one wherever an OpenID is requested.

You actually keep your passwords in your browser's password manager?

That's a single point of failure btw.

It is actually a lot better to spread your accounts in a couple of buckets (work, personal, sensitive, junk) and remember just those.

Actually no, Groxx and I both use 1Password at this time and sync it's database to dropbox.

I also have the daily backups turned on in case of database corruption. With dropbox and my backups I have the file in 4 locations at any one time (work laptop, personal laptop, home server, and backup disk)

Sync your passwords securely to the cloud, single point of failure averted. For maximum security, also set the master password on your browser.

A) I think you read the first third of the article. The second part goes into the meat of the problem (multiple implementations, providers not being consistent etc).

B) Having a browser store everything isn't necessarily a great solution since people may use multiple browsers and public terminals.


I'm kind of creeped out, honestly.

lol, awesome. Good to see I'm not totally insane in this, then.

I honestly fail to see any reason OpenID, precisely as it is now, cannot be significantly easier to use than username + password, and more secure because people can deal with a single, better password. It's harder on websites, granted... but in terms of security, most have been slacking pretty hard as-is. (though that's all the more reason to take it out of their hands...)

If we're all going to use SSL to avoid attacks that Firesheep brought to the forefront, users can provide client certificates to different websites, managed on a per-user basis with a passphrase like pass managers work.

The problem with client certificates is that they reside in just one of your browsers - what happens when you want to log in from your girlfriend's PC?

You need some method of authorising yourself at new locations, presumably rooted in a username/password somewhere, and you need the UI for that to be dead simple.

That same issue exists with a password manager, especially one that exists in the browser. Which is why I suggested client certs need to be managed in some portable manner. Since browsers have started using OS services for certificate management, the portability may be easier.

The logging in from your girlfriend's PC is a valid use case, but that's the price you pay for not having to remember passwords. Alternatively, you have an account on your girlfriend's PC that has your certificate store in it.

I don't envision the UI for this being any different than for a password manager. In fact, you don't even need more than one certificate, the same cert can be given to every website. Self-signed certs could be used as long as the website only allows login with a single certificate, the server could cache the certificate information as part of the "account" information and only ever allow a single certificate, in the same way ssh keys work (if ssh keys are secure enough is beyond the scope of this discussion). Or for the use-your-girlfriend's-pc scenario, you can bind multiple certificates, stored on different computers, with your account. Account recovery, in the event you need to change the certificate you use, would work just like password recovery, you assert you can't login, the site emails you a link to a page where you can tell it about your new certificate. This is no more or less secure than account recovery with passwords (where access to the email account is proof enough that you are who you are), but the main goal here is to assert to the website your authentication so you don't need to remember different passwords all over the place.

I don't think we have a "dead simple" key/cert generation/store right now that would make this work for Joe User, but I think the backend technology is already there.

I agree, the technology is there to do this (use client certificates for site login) exists today - StartSSL is one place that does this.

The problem is essentially that moving your certificate store around is not a task that Joe User can accomplish, because the UI sucks. (Oh, and I also agree that this problem also exists for browser-based password stores).

Build a better interface, and it might just work. For example, I should be able to roll up to a new browser, login to some "home site" (whether run by Apple, Google, Firefox or whoever) and use my single username/password to download a client certificate, that then authorises me to login to my accounts on Twitter, Facebook and so on. Ideally, I could request a time-limited temporary certificate, so that it becomes useless after I've gone.

Why stop at the browser? I'd love to see a unified ID that persists who I am from when I log on to the computer, check my email, go to HN, and then play some online games.

All of this is technically possible, but it's like herding cats.

If we're going to push OpenID support into the browser, then why not just use the X.509 client certificate support that's already available?

Mozilla was working on that exact thing for Firefox 4 but it got postponed to a later release...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact