Hacker News new | comments | ask | show | jobs | submit login

I agree, open id sucks. Or more specifically the billion different evolving implementations of open id suck. Making your users feels stupid sucks and having your business totally dependent on a third party sucks.

There is a lot of suck.

However, to balance things out, remembering 100 different passwords sucks. Getting an email to 100 different users on 100 different MXs, without being flagged as spam, sucks. Recovering an account when a primary email address stops working, cause a user switched jobs, sucks. Having to change your password every time you visit a site (cause you visit it twice a year), sucks. I know: keypass, self hosted clipperz, passpack. They are all at best awkward.

So, at the end of the day, you are stuck making a decision that is sucky, no matter what you choose.

When I built community tracker, I decided unique logins and valid emails are a valid requirement, openid is a nice add-on. A year later hacks have been added to the open-id code.. It is code I hate touching, with conditional edge cases, and is super hard to test. I decided against RPX cause I dislike the idea of adding one more business dependency. It just felt wrong. Honestly, I am not convinced the headache was worth it. Users love to be able to click on the google button and get access to the site.

When I am working on Stack Overflow, occasionally, I wish we had the "unique valid email" and "unique login" requirements. The whole cookie based account thing we have scares me (Jeff says it is what makes us better than all those sites that use slimy tricks to get your email).

However, it is far from our biggest problem. It is very easy to create an account, you can even answer a question without logging on using open id. The amount of customer service emails we get with regards to merging accounts is manageable. The majority of users, use the google button, and the google button works. The merging / recovery process and overhead is annoying but, not out-of-control annoying.

There are tweaks, we probably should not be rendering that scary URL Google gives us. We should look at ways to cut down on support calls.

Overall, I agree, for a business that is selling stuff to its users, making openid the only way for your customers to buy stuff may not a good idea.

However, for a business, that is trying to make the Internet a better place, the dependency on openid and all the hacks that come with it, is tolerable. And doing a little bit to stop users from adding, yet another password, to the never ending pool of passwords has its appeal.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact