Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenID Fan Club Is Shrinking

Posted by timothy on from the and-watch-that-basket-carefully dept.

A.B. VerHausen writes "Even though there's a whole new Web site devoted to understanding and using OpenID, some companies are dropping the login method altogether. OStatic is reporting that the 'free Web site network Wetpaint announced recently that it will no longer support OpenID as a login option for its wiki, citing low usage and high support costs as reasons.' Apparently, fewer than 200 registered users bothered with OpenID, and the extra QA and development time doesn't make it worthwhile to support. This can't come as welcome news on top of the internal issues the article mentions the OpenID Foundation is having now, too." I've actually been quite happy with OpenID, since I have spawned far too many username/password pairs over the last 20-plus years, but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...

16 of 333 comments (clear)

  1. Local software solution instead by wealthychef · · Score: 4, Insightful

    Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password. No OpenID required, just the Mac Keychain.

    --
    Currently hooked on AMP
    1. Re:Local software solution instead by Anonymous Coward · · Score: 3, Insightful

      Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password. No OpenID required, just the Mac Keychain.

      This works well if your always logging in to websites from YOUR computer... won't Open ID mean users can log in to websites from anywhere (Work, Friends house) and only have to remember the one user/pass pair?

    2. Re:Local software solution instead by Just+Some+Guy · · Score: 5, Insightful

      Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password.

      Rather than trust an external site with my security, I use OpenID on my home server that secures my single password in one place and never distributes any of my login information to other servers.

      --
      Dewey, what part of this looks like authorities should be involved?
    3. Re:Local software solution instead by davester666 · · Score: 5, Insightful

      It's because everybody wants to be a provider (so they get all your valuable information from you, as well as your surfing habits from other web sites that use OpenID when you sign on using your ID), but pretty much nobody wants to just accept an OpenID login (as they wind up just sending valuable information to another company with no direct benefit to themselves [and they could care less about the customer's convenience]).

      --
      Sleep your way to a whiter smile...date a dentist!
    4. Re:Local software solution instead by Sancho · · Score: 5, Insightful

      Frankly, I don't trust other computers. I try my best not to log on to online services when I'm not using a trusted computer.

      I'm sure as hell not going to plug a USB drive with my password database into an untrusted computer.

    5. Re:Local software solution instead by GooberToo · · Score: 5, Insightful

      And this is exactly why OpenID never caught on. You implemented it the only way it makes sense. For the vast majority of people this is too much. For companies requiring a login, they garner no information about who is visiting their site so they have no incentive.

      The combination of the two means no one wants to accept OpenID and it is too painful to truly use securely. Whereby securely means, no user information released.

    6. Re:Local software solution instead by coaxial · · Score: 3, Insightful

      Just use password gorilla everywhere since it's available on mac, linux, and win32. That's why I have. But in all honesty, I don't really use it. It's frankly too much of a pain to fire up another program,log in, search, copy and paste the login and password, and the close the program. So what do I do use? Unencrypted plain text files named after domains, all stored in a handy directory named dont_look_here .

      Seriously.

  2. What bothers me about OpenID. by WiiVault · · Score: 4, Insightful

    I am not a user so YMMV, but I personally don't like all my eggs in one basket. I use different logins and passwords on most of the sites I visit. I hardly want a security breach on some forum I post to to be able to have access to my email or credit cards site. Centralized is great for some things, but I simply don't trust any company to be as tight with their security as I am with my own. To them a breach is a "whoops, sorry!" to me it could be personally and financially devastating.

    1. Re:What bothers me about OpenID. by LingNoi · · Score: 3, Insightful

      The idea is dumb, it does put your eggs all in one basket because once someone has your login credentials they have your whole online identity.

      If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit and people would think I am him because I am using his openID identity.

      That's what is so damaging about it. Not only does it give a black hat login access to your personal information all over the internet, but it also allows you to create new information under the guise of someone else potentially ruining a person's life.

    2. Re:What bothers me about OpenID. by roemcke · · Score: 5, Insightful

      You already have all your eggs in one basket. Virtually all online sites will send you new passwords by e-mail if you forget them. If your e-mail account get compromised, an attacker can request and intercept new passwords for any online site he wants to access.

  3. It Is Not Prominantly Displayed by phantomcircuit · · Score: 4, Insightful

    Do you see OpenID anywhere on the front page to Facebook?

    There's your problem, people don't know that OpenID even exists.

  4. Re:I Wonder Why... by truthsearch · · Score: 3, Insightful

    The popular library for PHP is poorly documented. The API has each function documented (phpdoc), but nothing to actually get you started using the API. When we needed to do something other than the rudimentary sample code, it turned into a huge hassle. The API seems far more complicated than it needs to be.

    Developers aren't going to adopt it much if they have to keep re-implementing the standard from scratch. OpenID needs to publish a well documented API for each popular language that might need it. That'll get the ball rolling faster.

    --
    Developers: We can use your help.
  5. Re:a site that uses nothing but OpenID by Blakey+Rat · · Score: 4, Insightful

    Yes, but the difference is that Passport has worked reliably for years and years now... 10 years, if I'm remembering correctly... and I've yet to flawlessly log in to anything using OpenID even once.

    I have to admit, that after typing that post I went back to StackOverflow and they've actually fixed their faulty instructions for how to enter Yahoo IDs. (It used to read: my.yahoo.com/username which never worked, AFAIK. Now it just says to use www.yahoo.com and have Yahoo ask your username, which does appear to work.)

    But look at it this way, availability-wise:

    If you use OpenID with a delegate, you're dependent on your own web server working, at least one of your OpenID providers working, and StackOverflow working.
    If you use OpenID with no delegate, you're dependent on your OpenID provider working, and StackOverflow working.
    If they use Passport, they're dependent on Passport.com and StackOverflow.com both being working.

    If StackOverflow had their own login, you only have one dependency: itself. Clearly this is the best option if you want to optimize for availability.

    And what really makes me bitter here is that the goal isn't to make their website easier or quicker or more available to use, it's just a political campaign to increase the number of people who use some crappy, poorly-designed, technology. OpenID is too crappy to succeed on its own merits, so now we have website "activists" trying to force its use... that's crummy.

    --
    Comment of the year
  6. Nobody does by coryking · · Score: 3, Insightful

    That is half the problem. It isn't an intuitive way of logging into a website. Since the days of timeshare computers, people understand "username / password". Nobody understands "URL => ????".

    If you were to ask me to write the OpenID obituary, the biggest reason the protocol failed was the decision to use a URL instead of an email address. Every other failure was secondary to that one.

  7. Um by coryking · · Score: 3, Insightful

    The Magic URL (which is magic, actually) *IS THE USERNAME AND PASSWORD*. That is the whole point of OpenID. A website leaves the username/password business to some other guy and just trusts the protocol to make sure the Magic-URL is legit.

    If you've hacked RMS's OpenID account, you can just go to any OpenID site, even if he never visited it before, and start impersonating him. That is the "benefit" of OpenID! Most of the OpenID authenticated sites out there dont have a concept of "sign up", you just go to the site, plug in your Magic URL and start doing shit. There is no email confirmation step on those site, and if there was, it would kinda defeat the whole purpose of OpenID in the first place.

    And if I'm wrong in my interpretation of this, please send me to a URL that actually explains how the damn thing works. Nobody gets it and if the OpenID guys can't explain it clearly, they probably dont get it either.

  8. That is a bug, not a feature by coryking · · Score: 4, Insightful

    Lets say I've hacked your OpenID account. Now I can go visit sites like StackOverflow and post as you. Since they dont require email verification when you "sign-up", it doesn't matter if you had an existing account with them before I hacked you. I can go anywere that takes OpenID and "silently" impersonate you regardless of if you used the website before. No email verification means you'd probably never know it either. Well.. until you google "AvitarX" and find yourself posting horse porn on some OpenID site.