Hacker News new | past | comments | ask | show | jobs | submit login

He forgot an important modern rule on authentication: don't do it.

If you can get another system to do it for you; persona, OpenID, Github, Google, Facebook, or twitter it's more secure for the end user. They have features such as two factor authentication, fraud detection, manage password resets for you, and the end user is more likely already have an account.

Many developers don't agree with this on a moral level, as you are giving power to third party. However developers are developers, and if you do it yourself you're bound to do at least one thing wrong.

Might be a sample of one - but I dont use any services which requires me to provide a google / github / twitter account. I have very little trust in what I am authorizing the service to do on my behalf. Perhaps this wariness has come from my experiences with linkedin where I have been negatively surprised on more than one occasion.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact