(1) put your email address
in your profile (no one can see it except you and us), then
change your password by going to http://news.ycombinator.com/changepw.
I spent a day implementing openID for the users of my website, because I realized, hey, what a cool idea,
a URL can represent a single user on the internet, and that user can authenticate against it universally.
The sad truth was that I could not expect a single one of my users to even understand what the hell was going on, because for most test openID accounts I set up on yahoo, etc, I couldn't figure out how to use them. Only the hand-holdy sites exclusively for openid even bothered to tell me what my personal URL was and how to use it.
That was when I realized that Clickpass only exists because the implementation of OpenID was a total pooch screw.
If the OpenID standard had required it be simple, like the URL must follow this template - google.com/openid/kevinms and yahoo.com/openid/kevinms, and the user just pasted this into the box, I think it might have been a success. But because they didn't, and they convoluted it more with the concept of your "unique identity on the internet", you need third party services, which are unnecessary layers that are completely confusing to the user.
That way I don't have to remember another identifier and we already trust at least part of our identity to our email provider. Not perhaps as open, but much more approachable as a user.
Other examples that all suck for this reason:
Windows Live ID.
Erm, to clarify, Jabber isn't an authentication system. It's a decentralized IM network, structured similarly to email. A user is identified by their username on a given host, just like email. It (sensibly, in my opinion) re-uses the same format for that, user@host (I don't think user!host would be quite as intuitive...).
This does not mean a Jabber ID is an email address. It can be, but they are two distinct properties of any given identifier. So saying it 'sucks' because of the format of its identifiers happens to look like an email address, and some services choose to enable both email and IM on the same ID, is stretching it a bit.
Though on many mail providers these days, it's the other way round that's true. A lot of people use GMail, but few realize that this means they also have a JID (Jabber ID) and can use XMPP, since Google opens their servers.
It's a shame, really. Google seriously missed a chance to kill all of the mess of a thousand and one IM providers (each with their own, proprietary protocol) and replace it with the open and partially decentralized XMPP protocol, which anybody can implement and run.
That is. They would then have to ask you permission to spam you.
When online sales first took off, credit card theft was a huge concern. Even though nothing would go wrong for the vast majority of people fear was enough to make users and vendors go to great lengths to protect data. Not a perfect analogy but conceptually similar.
Offtopic, but I used to think that too until a coworker I'd never met emailed me using that address, warning me that apparently the proxy had cached my view of my profile page and he was able to view it. Has this been fixed yet?
Whatever you do, there will always be a non-trivial number of ISPs and company networks that have misconfigured proxies that overzealously cache sensitive data and display to everyone with not a care in the world.
Your system is setup to ask your corporate proxy to fetch unencrypted pages for you. That proxy may be configured to make a physical printout on your boss's printer of every page you request and there's nothing YC can do about that beyond offering https://news.ycombinator.com/ for you to use. That, too, may not be sufficient if your company has its own trusted SSL cert installed which is used to proxy and intercept everything so that all your internet activity can be decrypted.
I wrote the HN code in about 2 days and I was learning lisp/arc so it was awful code (RTM did the openID part) and literally no one has touched Clickpass code for 2.5 years. The fact that it still works is always surprising to me :).
Also I think Oauth beat OpenID hands down.
And yes, OAuth did beat OpenID, but they're not really the same kind of thing.
OAuth has definitely trumped OpenID as a protocol but turning off Clickpass shouldn't be seen as a reflection on either protocol and is simply removing a dependency on unsupported and remotely hosted code.
Immad did an incredible job of writing code that has run and run however since acquisition there is minimal and subsequently no support behind the codebase.
I would like to thank both PG and the users of Clickpass here who have been such ardent supporters of it over the years. We tried hard to make it attractive to developers and we received a lot of support for that - thank you.
Putting your email address in your profile is important. I once used to be "rb2k", but then I forgot the password I used back then and ended up as "rb2k_". There is no way to reset the password on an account if you're not adding an email :(
Clearly people are using it (given this message), and as many of us are web developers, the thought process behind this decision would be potentially very interesting.
Do you plan to move to a different system (FB Connect/Twitter/Google Identity Toolkit), or are you happy with a standard username/password model?
Are too many people joining HN and you simply want to add some friction to the process?!
Also, clickpass will need to update their site:
The browser integration will be amazing when its ready, but until then, it is the closest thing to FB auth without requiring FB or people to give up their friends list or other information they are concerned about.
I'm not sure what 'crucial component' you are talking about, but we are just using browserid.org.
I'm looking at implementing this for a new site...
Sad, I think HN was one of my last consumers of my OpenID account.
What's funny to me is how many sites rushed to be OpenID providers, but there were not very many consumers. I tried counting once but I lost count at 15 OpenID accounts that I have from various sites. So much for single sign-on.
(just FYI, until this decision, HN had the most seamless signup procedure I've ever encountered on a website)