Hacker News new | past | comments | ask | show | jobs | submit login

why aren't all these web sites using openid or some derivation thereof? It seems time to move away from sites trying to do security(specifically login credentials) themselves. As we've seen numerous professional web sites have been hacked and we have to go and change password(s).

What's stopping it? Are we developers too proud to admit that there is something that we can't do 100% perfectly and it is best left to someone else?




Right in your utopia we all use openid for auth. So that means there are drastically less places storing passwords for users. Those places just gained two things:

• an incredible amount of power over a lot of people • a HUGE digital bullseye for attackers to aim at

No system connected to the Internet is 100% hack proof.

So what happens when an openid provider with 20 million accounts gets hacked? The attackers now have the potential to access any of the sites you've used openid on.

How about we just try to teach people to be more secure - use strong one way hashes with random salts, dont assume things are secure by default (rails session data in a cookie anyone?), don't trust any user supplied content, etc


An average user reuses passwords, and I have serious doubts about education ever changing that.

One of the most common attacks is compromising a small website or forum, cracking hashes (hopefully it wasn't plaintext), then leveraging those credentials on other sites.

Fewer points of failures through centralized authentication has a lot of benefits:

* People who know what they are doing are handling the security, instead of making site owners (frequently with proprietary code) navigate a minefield they often understand very little about.

* Most users are already forced to have very few points of failures either because of services like LastPass or because they either can't or won't memorize dozens of passwords.

* A centralized, specialized, service would hopefully at least be cognizant of being hacked. Making that assumption with every website you would like to register on does not work.

* Additional security like GeoIP checks and 2-factor authentication can be implemented in a way that applies to many types of sites that simply can't be bothered to do so currently.


> A centralized, specialized, service would hopefully at least be cognizant of being hacked.

The biggest tech companies in the world have all been hacked - what part of "No system connected to the Internet is 100% hack proof." do you not understand?

Right now, it's largely up to users to ensure some sort of post- "password compromised" security, e.g. by using service-sepecific email addresses, service specific passwords, etc. There are third party tools like 1Password that can help with this, and e.g. Apple is integrating similar functionality into Safari for OS X and iOS.

Under your plan, the user doesn't have that ability - they have to find an OpenID provider they're happy to use, and hope it has decent security.

OpenID has many benefits, and its nice to have it as an option for login, but thinking that a mass adoption of OpenID will solve problems of password security and storage, is naïve.


I don't know enough about OpenID to comment on it.

In the quoted sentence I was pointing out that it's not unusual for websites to be completely unaware that they were hacked. It would certainly be unfounded to assume a service couldn't be compromised.

I think it's unreasonable to ask consumers to maintain a large variety of unique passwords. It's a noble goal but it just doesn't happen. LastPass/1Password do solve the password duplication issue, but at the cost of centralizing your passwords and having sites still manage authentication.

Why trust every site you sign up for to properly handle nuances like password character limits and account reset protocols, what if sites let a third party with a narrow focus handle these details?

Password managers are an easier solution to implement, but I don't think they are better than a well designed solution that's similar to Mozilla Persona. If you think otherwise, I'd be happy to hear why.


The problem with your suggestion is the phrase "third party with a narrow focus".

There are dozens of OpenID providers. The majority, and certainly all the major ones, offer it as part of another service, i.e. Google, Yahoo!, etc.

So to authenticate with some-guys-website.com you want me to then register an account with a third party, because that's better than having a different password for this site?

The likes of Google, Yahoo, etc already have way too much information about what people do, you seriously want to force people to give them more?

I freely admit that there is a problem with the current system, but the solution is not dumping the concept completely and just trusting the likes of Google for authentication everywhere.

It's perfectly possible to have very strong password hashes (e.g. bcrypt/blowfish, scrypt, PBKDF2) but when you have idiot developers, you get bad results.


Web services should be relying on passwords because that is a simple means of authentication that users already know and it keeps the services independent from a central identity provider. As we all know passwords alone can't protect us anymore though, so web services need to give their users an option to secure their accounts with a second factor. Thus in a few years I think that two-factor authentication is going to be a standard way of protecting our online accounts.


What would that second factor be?


The device that you use to sign in could be a second factor. That's how Rublon works: the mobile app allows you to manage your Trusted Devices. Check out a demo at http://www.pagechimp.com/.


Typically something like a yubi key, a smartphone app, or even a code sent via SMS to a phone, or verbally to a voice phone.


I really hope no one is going to try to force me to carry a phone around all the time (I only have one with me when I'm expecting a call or planning to call someone myself). Those yubi keys look interesting, but it's still an extra piece of hardware that has to be bought and carried around (and not lost).


Ubuntu forums has subforums for all over the world. Your phone/SMS thing needs to work for every country.


Have everything tied to my gmail account? No thanks.


Persona could work as an alternative.


That's not really what I meant. A number of places support openid; we use that for logging in and password management. If something goes wrong we change the password in one place. Gmail is just one provider; as is facebook. I'm sure that there are more.

As for your gmail account comment: since most people point their emails to gmail anyway, everything is tied to their gmail account anyway. (e.g. password resets)


Whenever I sign into something with openID it signs me into all google services on that account, that's a pain in the ass as I have multiple google accounts for different things.

If it's separate then at least I can rebind that account to another email address if I choose, such as one I host myself for example. Otherwise if my google account gets closed for whatever reason then I lose all of these other accounts.

You can of course use a different provider but you're looking at either using some other internet giant or hosting your own openID crap which I'd rather have to do.


You can always host your own openID sollution.


Oh good, I can use Facebook instead of GMail. I guess my privacy is secure, then.


You can easily run your own openid server:

http://wiki.openid.net/w/page/12995226/Run%20your%20own%20id...


Not a solution for the thousands that don't have the skills and the time to install and maintain it.


Even if a site used openid and stored no passwords it could still be a target. People want to put spammy links to their spam sites to increase caboodle rankings. You could send a private message on the forum to every forum user, a good percentage will click on it. You've now got lots of Ubuntu forums users to open an arbitrary url, that can be used to spring board mote hacking.


I was under the impression I could use OpenID to log onto Ubuntu Forums - if I'm not remembering this wrong, I thought I did so the last time I visited Ubuntuforums - with my Launchpad.net membership.

Does anyone remember if that was an option? Or was it only "username/email, password" to log onto the site?


An alternative would be to drop login requirements completely – Debian mailing lists work just fine, and on a large percentage of them, anybody can post without any password whatsoever.

But email spamfiltering is likely more advanced than similar routines for web fora.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: