Slashdot Mirror
OpenID Fan Club Is Shrinking
A.B. VerHausen writes "Even though there's a whole new Web site devoted to understanding and using OpenID, some companies are dropping the login method altogether. OStatic is reporting that the 'free Web site network Wetpaint announced recently that it will no longer support OpenID as a login option for its wiki, citing low usage and high support costs as reasons.' Apparently, fewer than 200 registered users bothered with OpenID, and the extra QA and development time doesn't make it worthwhile to support. This can't come as welcome news on top of the internal issues the article mentions the OpenID Foundation is having now, too." I've actually been quite happy with OpenID, since I have spawned far too many username/password pairs over the last 20-plus years, but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...
Stack overflow took an interesting approach, and only uses OpenID. They don't even have a non-OpenID option. Proprietor Jeff Atwood discusses some of the tradeoff at his blog.
Hmmmm...
I checked out the "Explaining OpenID" web site referenced in the article, and it didn't make a whole lot of sense.
It did tell me that my OpenID is: www.google.com/o8/id
I undoubtedly will not remember that, nor do I believe it is even accurate.
I then read how I could integrate it into my own web site - and despite doing a ton of web development and XML stuff, had no idea what they were talking about - at either a high or low level.
In conclusion - If they want to get users and developers on board with OpenID - their going to have to do a hell of a better job. Either that, I'm just too stupid to understand their "OpenID for Dummies" web site.
Now I'm of course just an engineer and developer - I'm sure users like my parents, grandparents and kids would understand this stuff much better.
Why make things complicated? Just use X.509.
Just have GETs to "http://anyserver.com/id/Lord Ender" return a certificate (public key) issued to, literally "http://anyserver.com/id/Lord Ender".
I would then have the certificate/keypair installed in my browser. It doesn't matter who it is signed by-it can be self-signed.
When I sign in to a website, I put "http://anyserver.com/id/Lord Ender" as my ID. The website then fetches my certificate from anyserver.com and asks my browser to prove I'm me using the built-in features of SSL. From then on, the web site will know me as "Lord Ender of anyserver.com".
It doesn't get any simpler or easier to implement.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I am a web developer by trade, and so far one of the most infuriating things that I have to deal with on a weekly basis is that my customers simply can't bring themselves to care enough to remember their admin logins. Every week I have to unlock a handful of administrators. It doesn't matter if I provided them with a proper password rescue option, it is simply too much for them.
The second big problem is that we have multiple branches of certain products running at the same time, so at any given time one of my customers may have to login into her production, staging or 2-3 development servers, each with its own username and password.
We are a .net shop, so my original idea was to use the new membership and role providers and remove the login mechanism from all sites from a given customer. This works, but it is hard to get all sites in line since there is always something else going on that is more important. They still screw it up, but at least they only have to remember one username and password that works at the same level (production, staging, dev, etc.).
When I heard about OpenID I tried to see if I could implement it in any of our sites that use .net 2.0-style security. I was glad to see that somebody already had thought of this, and I found a ready to run library with a very nice login control for .net that uses OpenID.
It wasn't easy, but it was interesting, and within 10 or so hours invested I had:
1. A .net web app that used ANY OpenID instead of the built-in aspnet_* tables hierarchy. .net app that uses the SQL membership/role providers.
2. A recovery page. You type your email address and it emails you a list of any OpenIDs in the system that match that email address.
3. A self-registration page. If you arrive at the web app, and you authenticate through OpenID successfully, and you don't have a local profile, it asks you to fill a quick form.
4. Security roles are used just like any standard
The beauty of it is that I can even run my own OpenID server for my customers. All they would need to remember is that they login by typing a URL like:
userid.ouropenidserver.com
and it would do the rest for them.
One customer, three projects, three environments per project, that's nine login/password pairs that I am expecting them to remember. Instead all they need to remember is the URL and the password. If they lock themselves out, all they need to remember is the email address used to register, which emails them their OpenID URL. If they forget their password, that is handled at the OpenID provider level, not at the end user application.
Even if nobody else in the world uses it, to me it clearly means that I can spend more of my customer's money in building new things instead of on troubleshooting and damage control (even if the two figures are identical, customers will bitch more about paying for repairs than paying for work that can be recognized as new). And it is an easy concept, if they have a Google or AOL account, they already have an OpenID.
Pedro
----
The Insomniac Coder
I'm surprised that /. geeks actually use specific tools to manage their passwords, when it's so much simpler and quicker with a couple of shell micro-scripts.
I have my passwords in a file on a TrueCrypt volume.
In Windows, I have
p.bat: /N /I "%1"
@FIND
and padd.bat:
@ECHO %* >> T:\p
In bash it's almost the same:
p: /mnt/tc/p
#!/bin/sh
grep -in "$1"
and padd.bat: /mnt/tc/p
#!/bin/sh
echo "$@" >>
All I have to do to find all my gmail accounts and passwords is to type "p gmail" at a command prompt.
In Windows (maybe in Linux as well?), you can also play with "Alternate Data Streams"
Authentication on the web is kind of messy and annoying, but OpenID is so too. It just doesn't feel right to be pushed from one server to the next to do authentication, since it leaves the door wide open to phising attacks. Also using URL for authentication just looks ugly.
I personally would prefer something that works on the client side and not on some other third server, i.e. store a GPG public key in your browser and have the browser use that to automatically sign blogposts or whatever to authenticate you. To stop spam one could have third parties sign the GPG key to create a web of trust kind of thing.
So you would have a reusable secure token you use for authentication on all pages, instead of having to come up with new passwords all the time. And it would also keep the third party out of the picture, since the token remains only on your client and never leaves it.
I use a truecrypt volume in autofs which automounts the truecrypt volume when I try to open the password file, and unmounts it two minutes later.
Password Safe (on Windows) + Password Gorilla (On Linux) + rsync over ssh to sync the password database works quite well for me. If you have a decent router (wrt54g with tomato firmware for example) you can easily setup and use dyndns to get to home security regardless of what network you're connecting from.
I have a bunch of random 16-64 character passwords (depending on what the site will let me use) that involve upper and lower case letters, numbers and symbols, and I don't need to remember them all (just the password for the database).
Three points:
1) It's risky to use the same authentication credentials and password for multiple accounts. If one web site is compromised it would enable unauthorized access on everything else.
2) If you use different passwords for each account, it's extremely difficult to remember them all. Highly impractical for some, impossible for most.
3) Trusting all your authentication credentials to a browser is fine, unless someone else uses your PC without your permission. The browser will just as happily fill in the forms for them as it does for you.
Eagles may soar, but weasels don't get sucked into jet engines.
One of the things I like about OpenID is that I only need to recall one username/password combo to log in to sites with it when I'm at another computer (like at a friend's house). I just wish it was used more often. I also had a problem today where Firefox lost one of my username/password combos for a site I haven't used in quite a while. I made a point after I set this computer up to visit it and save the combo, but sure enough today it wasn't there, and when I checked saved passwords the site wasn't listed. No idea when it lost it or why, either.
by using auto logins I didn't have a clue as to what it was anymore...
Been there. But I've mainly mistrusted autologins because of the risks involved. Putting all those UID/password combos in one place makes that file a worthwhile target to hack. From there you have to put your faith in the encryption algorithm alone, which IMO is a very bad place to be.
My approach is to have a few strong but memorable passwords which I re-use across multiple websites. One of these is used only for banking, and gets changed comparatively often, while another remains static for sites (like Slashdot) where it doesn't really bother me one way or another if someone manages to crack it. I actually leave Firefox to remember this one. Another is for other stuff of high value but for which I don't want to use the same password as my bank accounts.
That way, I can get by with a plain-text file with just a list of userIDs, which by themselves are not useful, and I only have to remember 3 passwords, which I can manage easily enough. It might sound cumbersome, but it works for me, and it keeps access under my control so if someone steals my laptop I don't lose everything.