Hacker News new | comments | ask | show | jobs | submit login
We're turning off Clickpass March 15. How to keep your HN account.
172 points by pg on Feb 21, 2012 | hide | past | web | favorite | 64 comments
We're going to stop supporting Clickpass on March 15. If you use Clickpass to log in to Hacker News, please

(1) put your email address in your profile (no one can see it except you and us), then

(2) change your password by going to http://news.ycombinator.com/changepw.

The fact that Clickpass even exists made me realize openID was DOA.

I spent a day implementing openID for the users of my website, because I realized, hey, what a cool idea, a URL can represent a single user on the internet, and that user can authenticate against it universally.

The sad truth was that I could not expect a single one of my users to even understand what the hell was going on, because for most test openID accounts I set up on yahoo, etc, I couldn't figure out how to use them. Only the hand-holdy sites exclusively for openid even bothered to tell me what my personal URL was and how to use it.

That was when I realized that Clickpass only exists because the implementation of OpenID was a total pooch screw.

If the OpenID standard had required it be simple, like the URL must follow this template - google.com/openid/kevinms and yahoo.com/openid/kevinms, and the user just pasted this into the box, I think it might have been a success. But because they didn't, and they convoluted it more with the concept of your "unique identity on the internet", you need third party services, which are unnecessary layers that are completely confusing to the user.

I always thought that the problem with openID is they didn't use email addresses instead of URLs. e.g. use john@example.com and require a certain url template for the endpoint e.g. example.com/openid/john

That way I don't have to remember another identifier and we already trust at least part of our identity to our email provider. Not perhaps as open, but much more approachable as a user.

Webfinger - http://en.wikipedia.org/wiki/Webfinger - was created for e-mail-as-OpenID-login. I don't know why it hasn't taken off though.

Hate that idea. I don't want to have to share my email address, in fact that's a primary reason why I always use my open ID (which is unrelated) when possible. Providing email as a credential creates an implicit, if not explicit, invitation "Here, spam me." This is why I'm generally against using email as an identifier.

Other examples that all suck for this reason: Apple IDs. Windows Live ID. Jabber.

> Other examples that all suck for this reason: Apple IDs. Windows Live ID. Jabber.

Erm, to clarify, Jabber isn't an authentication system. It's a decentralized IM network, structured similarly to email. A user is identified by their username on a given host, just like email. It (sensibly, in my opinion) re-uses the same format for that, user@host (I don't think user!host would be quite as intuitive...).

This does not mean a Jabber ID is an email address. It can be, but they are two distinct properties of any given identifier. So saying it 'sucks' because of the format of its identifiers happens to look like an email address, and some services choose to enable both email and IM on the same ID, is stretching it a bit.

>This does not mean a Jabber ID is an email address.

Though on many mail providers these days, it's the other way round that's true. A lot of people use GMail, but few realize that this means they also have a JID (Jabber ID) and can use XMPP, since Google opens their servers.

It's a shame, really. Google seriously missed a chance to kill all of the mess of a thousand and one IM providers (each with their own, proprietary protocol) and replace it with the open and partially decentralized XMPP protocol, which anybody can implement and run.

The identifier doesn't have to be a real email, much less your main address - it's just an identifier and a provider.

I've got like 15 email addresses. I keep some of them private. There's no reason to give out your primary email address to every site that asks for it, just an email address.

I use throwaway email providers on most websites, like 10minutemail.com or fakeinbox.com. Works wonders against spam. My real email(s) are only used when it's really required.

This problem is tough to imagine with jabber where you control access through your roster.

That is. They would then have to ask you permission to spam you.

How do people operate in the 21st Century internet treating their email address as private? I've never been reserved about giving out my email address and I've never had a spam or harassment problem. Ever.

Back in "the day", users were bombarded with warnings to never give out their email address, lest something bad happen... at one point in time, if you did post your email publicly, it would quickly become unusable as the spam tools & regulations were way behind the spammers. I'm sure there's still a huge contingent out there afraid of putting their email into the wild.

Perception is far more important than reality.

When online sales first took off, credit card theft was a huge concern. Even though nothing would go wrong for the vast majority of people fear was enough to make users and vendors go to great lengths to protect data. Not a perfect analogy but conceptually similar.

Good feedback on OpenId. What do you think of BrowserId?

(no one can see it except you and us)

Offtopic, but I used to think that too until a coworker I'd never met emailed me using that address, warning me that apparently the proxy had cached my view of my profile page and he was able to view it. Has this been fixed yet?

The only real way to solve it is to use HTTPS. The Gmail team had this problem for the longest time and is one of the biggest reasons they added forced-HTTPS as an option in account settings.

Whatever you do, there will always be a non-trivial number of ISPs and company networks that have misconfigured proxies that overzealously cache sensitive data and display to everyone with not a care in the world.

You mean nobody can see it except you, YC, and the man in the middle?

Your system is setup to ask your corporate proxy to fetch unencrypted pages for you. That proxy may be configured to make a physical printout on your boss's printer of every page you request and there's nothing YC can do about that beyond offering https://news.ycombinator.com/ for you to use. That, too, may not be sufficient if your company has its own trusted SSL cert installed which is used to proxy and intercept everything so that all your internet activity can be decrypted.

https://news.ycombinator.com/ is available! https HN links come up in Google results (at least from memory).

I am one of the co-founders of Clickpass and I think this is a great move.

I wrote the HN code in about 2 days and I was learning lisp/arc so it was awful code (RTM did the openID part) and literally no one has touched Clickpass code for 2.5 years. The fact that it still works is always surprising to me :).

Also I think Oauth beat OpenID hands down.

Did you mean "no one has touched the code in 2.5 years?" If so, then that is indeed, surprising.

And yes, OAuth did beat OpenID, but they're not really the same kind of thing.

I know, but for all intents and purposes OAuth ended up being a super set of OpenID.

--- corrected years

It's a credit to your code Immad that it is still working.

Immad's already weighed in on this but as the other Clickpass co-founder I also support this decision.

OAuth has definitely trumped OpenID as a protocol but turning off Clickpass shouldn't be seen as a reflection on either protocol and is simply removing a dependency on unsupported and remotely hosted code.

Immad did an incredible job of writing code that has run and run however since acquisition there is minimal and subsequently no support behind the codebase.

I would like to thank both PG and the users of Clickpass here who have been such ardent supporters of it over the years. We tried hard to make it attractive to developers and we received a lot of support for that - thank you.

A suggestion: please have users input their new password twice to catch typos.

Any particular reason for the change? (Just curious)

While we're on this topic, can you add a note to the profile page that says that email isn't publicly visible? This seems to be a common source of confusion.

There's already a bright yellow box that informs you about that, but it only shows when the e-mail field is empty.

Hmm, okay. It still seems that people are often confused by this, though.

I'd lean towards a check box with 'make e-mail address visible (to registered users)'. That way you get the implicit message that it's invisible by default and can share it if you like.


Putting your email address in your profile is important. I once used to be "rb2k", but then I forgot the password I used back then and ended up as "rb2k_". There is no way to reset the password on an account if you're not adding an email :(

I would love an overview of why you're moving away from using Clickpass...

Clearly people are using it (given this message), and as many of us are web developers, the thought process behind this decision would be potentially very interesting.

Do you plan to move to a different system (FB Connect/Twitter/Google Identity Toolkit), or are you happy with a standard username/password model?

Are too many people joining HN and you simply want to add some friction to the process?!

Also, clickpass will need to update their site:


Are there any plans for BrowserID auth, perhaps?

Yes! Please please please implement BrowserId. This is the one authentication/login system that actually has a real fighting chance. We've implemented it for our site (next to FB login) and we are really happy with it.

Could you explain why? When I last looked, a crucial component wasn't specced, meaning you had to rely on Mozilla for part of the handshake. Have things change?

Why what? Why we are happy with it? It is easy to implement and the people creating it are smart. They've done a good job so far, I see no reason why it won't be successful in the future.

The browser integration will be amazing when its ready, but until then, it is the closest thing to FB auth without requiring FB or people to give up their friends list or other information they are concerned about.

I'm not sure what 'crucial component' you are talking about, but we are just using browserid.org.

How are your conversions?

I'm looking at implementing this for a new site...

When a tech-audience orientated website like HN stops using OpenID, I think we can say that OpenID is firmly dead.

Sad, I think HN was one of my last consumers of my OpenID account.

I really like using OpenID on StackExchange sites. I just click the "Google" button and I'm logged in!

What's funny to me is how many sites rushed to be OpenID providers, but there were not very many consumers. I tried counting once but I lost count at 15 OpenID accounts that I have from various sites. So much for single sign-on.

I really like OpenID. As a rule of thumb, I prefer OpenID whenever I can...

Do you think? Whenever I get a change to use OpenID on a website I immediately do so. I personally think it's very useful but perhaps a bit too complicated for non-tech users. Although the OpenID provider buttons (think StackOverflow) do make it easier.

Is there a blog post associated with this decision somewhere? Is my scenario of logging in with a Google account that uncommon?

(just FYI, until this decision, HN had the most seamless signup procedure I've ever encountered on a website)

I've never heard of Clickpass, what is it?

Bringing OpenID To The Masses: Clickpass


What is the reason behind stop supporting it?

Boo, give me OpenID back! Or at least don't do password reset via HTTP.

> Or at least don't do password reset via HTTP.


Use HTTPS for password reset, not (unencrypted) HTTP.

How will you let others know once this falls off the front page?

Since notifo is shutting down are you going to remove that?

Is there a standard to support web callbacks (or whatever they're called)? I wouldn't mind hooking up HN to Prowl, since that's what I did with Notifo anyway.

crosses fingers scribd next, right?

https link would be nice, unless I misunderstood what was happening there, my password went out in the clear.

https://news.ycombinator.com/changepw works just fine actually, even though pg apparently forgot to put the 's' in the link.

I'd like it if you could still support openID. It's still very useful despite it's flaws.

It might be a good idea to make this a "sticky post", and keep it in the top 10 until March 15 (or 16th). Maybe even automagically move it up the closer we get to March 15th.

I just followed the steps, but I'm getting a "Bad login." message when I try to sign in using Chrome's incognito mode. How long before the new username/password combo works?

It should work immediately. So either you mistyped something or incognito mode does something that breaks login.

I can't see it being the latter. I've used incognito mode to test logins for web development and there's nothing out of the ordinary.

Make sure you use correct capitalization of your username. The login screen is case sensitive. (Which seems crazy to me)

It's working now, so I guess it was the capitalization, thanks.

Something in line of clickpass is good. It saves people from making hundreds of accounts and same passwords for many sites.

Thanks. Big win for user security on the Internet.

How so?

Obviously, many people would like to know why this is being done, if not for matters of convenience, for curiosity.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact