Hacker News new | past | comments | ask | show | jobs | submit login

>Otherwise I get in but it looks like my stuff on the website I'm logging into got wiped out.

What? No. Only if the site presumes a brand-new OpenID means a brand-new account, and automatically creates it for you. And it'll probably be asking you for a username and email - at which point it likely will throw a database constraint, telling you you can't use that username or email. And the vast majority I've encountered ask you if you want to create an account under that OpenID.

And this is also no different than, say, Instapaper, where just entering an email / username offers to create a new one. It could easily do so automatically. What if you forgot you had one under a different email? You're just conflating human forgetfulness and poor website design with inherent problems of OpenID which don't really exist.

A fair number of sites allow you to register multiple emails. Is this not a band-aid to the bullet wound which email accounts are?

On the flip side, we have idiot websites storing passwords in clear-text, or hashed without salting, all of which means if they get hacked they get thousands of accounts, likely thousands of email accounts as well (as many / enough use the same password). With OpenID, they'll just get your public OpenID URL - whoop-de-doo.

In fact, I'd say that the (rarely used) adequate security measures to protect your password are band-aids on the bad implementation that is username-and-password.




Yeah, still not buying it. There's no way in hell I would think it's good to put a third party between my site and my users when that party can go down or change the only identifier I have.

I understand password pain, but so does everyone else. The song and dance is annoying, but known. I'd rather spend the time dealing with an explosion of openid misimplementations adding useful features that don't carry a risk of pissing off my users.


>There's no way in hell I would think it's good to put a third party between my site and my users when that party can go down or change the only identifier I have.

Like... email addresses? Or do you not think it's good to provide a "forgot password" link which emails a reset mechanism?

Any other means of re-gaining access, like "secret questions", work for both lost email accounts and OpenID, and any site which asks for an email address to mail "forgot"-like requests to has all the capabilities of any system which has an email address.

So your complaint is that OpenID providers aren't mature enough to be reliable enough to last long enough to be worthwhile. Providers like Google, Verisign, Yahoo, and many others of the internet / security / email giants.

If they've made stupid decisions in the past, that's an entirely different problem. Email providers can and do and have made plenty of stupid decisions - one of mine only allows login via plain-text username and password over POP. Two of my older ones went belly-up. One got purchased, and transitioned everyone over to a new domain name as they phased out the old one. How is this different?


> Like... email addresses? Or do you not think it's good to provide a "forgot password" link which emails a reset mechanism?

Yeah, but those are for retrieving an account, not for day-to-day logins. I'm only dealing with trouble when someone's email provider goes down and they can't remember their password. With openid I'm in trouble when the provider goes down period.

> So your complaint is that OpenID providers aren't mature enough to be reliable enough to last long enough to be worthwhile. Providers like Google, Verisign, Yahoo, and many others of the internet / security / email giants.

Being big giants doesn't make them awesome at everything they attempt. Half of this article was griping about Google changing tokens and provider urls.

Also, with openid I don't get to pick who I trust to do their job correctly. At the least I shouldn't, if I'm implementing it properly. Maybe if I could I would decide that Google, Verisign and Yahoo can do it well, but I'd rather not depend on MomAndPopsIDShop to hold it together. I don't really get that choice, and instead my user experience is up to them holding up their end of the deal.

> Email providers can and do and have made plenty of stupid decisions - one of mine only allows login via plain-text username and password over POP.

This applies equally to openid. A dumb implementation can be just about as insecure.

> Two of my older ones went belly-up. One got purchased, and transitioned everyone over to a new domain name as they phased out the old one. How is this different?

Well, for starters it's a known problem. Also you know the token I'm using to uniquely identify your account, it's the same email that's now become a problem. But if tomorrow your provider decides that, instead of "5AHGFOA12389E" you are "ABNA489AKJ12" ... we're both kind of stuck. You only know your openid, and I only really know the token that just changed. Sure I can ask for even more information from you, but there's a limit on how many hoops I'm willing to jump through before admitting that openid is a bad business decision.


>Also, with openid I don't get to pick who I trust to do their job correctly.

That's probably where we're disagreeing. This is precisely why I like OpenID: it takes logins out of your / site owners' hands, where it's always been, and where it's been abused to no end, and puts it in mine, where I can actually make a few decisions.


What advantage does that provide? I'm not following the whole "takes logins out of site owners hands" logic. It seems like, yes, the site owner doesn't get to see your password but that's about it. On the otherhand, you're sharing a huge amount of information with your OpenID provider about who you are and where you go.


Unless your OpenID provider is you. Which it can be. Which is not possible with username+password.

It's also about not having to trust the site owner to not misuse your password or release it or get hacked, which has happened before (though not to me). Loads of people use the same password on their email as they do on website-X, however stupid that may be. This is essentially giving website-X access to your entire identity, as nearly everything is keyed around your email account. Identity theft, here we come; already a tens-of-billions-of-dollars industry in USA alone.

Instead, you choose who you want to trust with that information. Your OpenID provider. And you restrict your logins to 1, instead of N, making it far simpler to use a more secure login for even the most computer-inept.


> Unless your OpenID provider is you... which is not possible with username+password.

Actually, with the username+password I'm always the provider. I can give whatever information I want.

I don't disagree with what you say about website and identity -- but I think OpenID is the wrong solution to the problem. This should be embedded into the browser with strong cryptography between you and the website and no 3rd party should ever need to be involved. If I want to invent a new throw-away identity, it should be a simple click away.

Being secure with a username+password is pretty much as easy or as difficult as using OpenID. If the goal is to secure the computer-inept, requiring them to associate a url with their identity is a failure even before you get through the rest of the process.


I can understand that opinion, but having the user's ability to access your site be in anyone else's hands is a scary thing. Especially when it can create even nastier customer service issues than a lost password.

I'm not really sure what the solution here is, because as a developer I would like to see openid work. Right now it's just hard to argue for.


I honestly doubt there can be one. A system has to favor one or the other, as giving both equal access opens it to all possible abuse from both sides, rather than just one.

As to the customer service issues, if they're having a problem on your site, they're having a problem on every site if they're using OpenID, because their ID has changed everywhere. It's far easier to diagnose the problem there, as it lies wholly (and provably) with their provider, and not with you.

More of a headache for you, potentially, people are nuts when they don't get what they want. But at least you have a provable "out" and they have a single place to go for a solution (if there can be one).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: