OpenID: Does The World Really Need Yet Another Username and Password?

As we continue to work on the code that will eventually become stackoverflow, we belatedly realized that we'd be contributing to the glut of username and passwords on the web. I have fifty online logins, and I can't remember any of them! Adding that fifty-first set of credentials is unlikely to help matters.

This is a companion discussion topic for the original blog entry at:

Here’s a simple idea…

Extend the mail protocols. Instead of signing up with a Id provider, everyone either has an email account, or can get one for nothing.

When a site needs to identify you, they ask for your email address, forward you to that server for verification, and then you can be forwarded back.

The infrastructure for determining your mail server from the hostname already exists. Further if there is any one provider that already knows everything about you, it’s your mail host.

This isn’t complicated and could easily reach a large audience.

If you’ve never seen Simon Willison’s “The Implications of OpenID”, drop everything and watch it now. It explains the benefits and drawbacks in such a clear and convincing manner, bringing up points that I haven’t come across elsewhere on the net. Check it out here:

To be honest I’d rather you used Microsoft’s Passport or the Google API or something else that I likely already have, OpenID although a great concept has actually just created another Id I need to remember

I really wouldn’t feel safe having just one login for all my accounts. If it gets compromised, then everything gets compromised. I’d rather have separate login credentials for each account/website. Remembering these credentials is not hard at all either, even for dozens of accounts.

Just invent a quick algorithm you can do in your head, which produces a password based on some master password and the purpose of the account. For example, if you choose a teacher’s name as your master password for all accounts (e.g., Mrs. Krabopple), then for logging into Amazon your account password could be something like AmaKraboppleZon - throw in a little 1337 $p33k for numbers and symbols, and you have a complex password that’s hard to crack but easy to remember.

I have been fighting with this same problem. After years of my internet activity I have collected quite impressive amount of different user names and passwords I had to remember… and I have been trying to, really hard…

I know know that I shouldn’t store them in in word document (even compressed and passworded - brut-force still rules) ad I decided one day that I will write an app helping me to solve this problem.

Maybe it will help you as well. It is free. (seventh project down)

If you will like it I will appreciate your comment.


Also, it’s kinda cool that you can put two link tags in your header to use your own website as a “shortcut” for your OpenID URL. Assuming you have a website, and you’re comfortable with the whole URL-as-identity concept.

So in other words, I could just type in “” and press “login” and get the correct OpenID provider, etcetera.

Well, you can also choose to always pick the same login, and you only get a password problem. And you can choose the same password also, provided the site let you choose.
Being registered on fifty site does not mean you really need fifty different password and login …

I wrote an article on the topic a while ago.

Who Should Manage Our Online Accounts?

It’s also important to realise that there’s no reason for an openID provider to require password authentication. This is alluded to in the post but not in a big way.

For example, your provider could issue you a challenge via IM

Visit LiveJournal (for example)
= Enter openID, Click login
= Receive an IM from openIDBot “ requested a login for openID Reply ‘yes’ to allow login”
= Type ‘yes’
= Logged in

I believe OpenIDs should not be a URL system but rather an e-mail address system. In my case, ‘gmail’ would be my OpenID provider, and I would use my e-mail address to authenticate myself. Like you said, sites already defer authority to the e-mail address provider with password retrieval/resetting features, so it’s no riskier.

Being registered on fifty site does not mean you really need fifty different password and login …

Assuming that:

  1. I can use my email address as the login
  2. I can use my preferred password as the password

… on all 50 of those sites. The odds of that seem extraordinarily slim to me. Sites vary widely in what they will accept as logins and even passwords (complexity rules, length, etcetera).

And then let’s consider what happens if I want to change my password. Do I log in to each of these 50 sites and change it?

That said I totally agree with Jan: the “competition” is between OpenID and the inertia around existing per-site login systems.

It might just be me being paranoid, but I don’t think openID will work until a small fee is taken to create a user account (thus creating an almost spam free system). I’m talking about a fee of maybe $0.50 for an account, just to stop spammers from creating hundreds of accounts (just cos it will be too expensive).

But then again, who is willing to pay for using it?

1Password FTW! Its a super-keychain that remembers webforms, identities, credit cards, etc, all locked down with a single password. It even adds a button to browsers (and NetNewsWire) for easy form filling. Not free and Mac only, but worth it. And it syncs the keychain to an iPhone or Palm. I think powerful local apps like that, maybe combined with random number one time pass tokens are the future for secure and mostly convenient logons.

Umm… I use Firefox. It remembers all my login and passwords. I have different credentials for every group of page I use, so if ever one account is hacked, these logins might work on some other pages of the same kind, but they will surely not work on most other pages I use regularly. Why should I have to remember these? FF has a Master Password. First time I go to a page that requires login, FF prompts me for the Master Password. Once I typed that it, it will pre-fill all login forms for me.

I can also look up what the remembered password was, just in case I have to.

Further I have a nice extension installed, called Secure Login. What that’s good for you ask? Well, first of all, it will not auto-prefill forms. Why not? Because as soon as FF puts something into the login fields, JS code could read the values from there and transmit them over the net. This is too insecure. Instead SL will only highlight the login fields for that it knows data is available (in orange, but you may change the color in the prefs) and only prefill it, if I hit a shortcut (can be changed to whatever you desire) or if I klick the SL icon, either in the status bar (if shown) or in the navigation bar on top (you can configure to show it on either bar, both or none). Another advantage of this extension is: If you have multiple logins for a site (and here is a big advantage of OpenID! As you need different OpenIDs for that), SL will not prefill the most likely one, as FF does by default and only change password to another one if I change login, it will show a sheet window with all available logins and asks me to pick one. Last but not least, I don’t have to click on a login-button after SL prefilled the form. I can configure SL to submit the form automatically as soon as it prefilled the login data.

All in all: Using Firefox with a Master Password (making sure your login data is encrypted on your HD) and adding the Secure Login extension prvoides a very easy, painless and secure way to manage your logins and in the end, the only password you need to remember is your Master Password.

How about setting up your personal OpenID provider? If there’s anyone you can trust, it should be yourself I guess. Then you can add as much security you want, plus your OpenID looks cool as well :wink:

At the last count, I had 56 logins to keep track of. Not just for websites, but also work-related. For most of these logins, I DON’T EVEN KNOW THE PASSWORD. Instead, I used KeePass to generate and store a (strong!) password for me, and use the auto-type function to login. Passwords are stored securely (AES) encrypted. The application and data are stored on my EDC memory stick.

OpenID is nice, but the only real solution in my view is a workable public key infrastructure. Something I happen to be working on :).

I’ve spent the last few days implementing OpenID on our group of websites.

In the end, it was reasonably easy to integrate OpenID with our existing login system. instead of username/password in our database, it was username/provider - which kept our unique username system going, across multiple providers and our own users.

Wether it’s the future I’m not totally convinced. It is more difficult initially to remember your string, and ofcourse, you sitll have to remember your username and password for your provider.

Your point on the providers is an important one. Wordpress is atrocious. If you are not logged in, it tells you to go a different page (with no link to that page) and login, and then try again. Others worked properly - even AOL.

"the only password you need to remember is your Master Password"
That’s until you move to another computer, in which case you’re a little screwed (and lot’s of people log in on lots of different computers all the time).

With regards to using email over url, it would be preferable from the users perspective I guess, but how would you implement it? URL’s are used because the service can fetch the HTML from it, parse the data etc. How do you easily do that with email that works across all emails? It would be very difficult.

A lot of the non-dedicated providers (providers that offer other services) like LiveJournal, Vox, flickr, blogspot, technorati etc. allow the users profile page to act as their OpenID URL. This means that if, for example, I were a LiveJournal user all I need to remember to login is the same blog URL that I give to people all the time.

So when are we going to see OpenID on CodingHorror then? :wink:

“Wordpress is atrocious. If you are not logged in, it tells you to go a different page (with no link to that page) and login, and then try again.”

I suspect that’s an anti-phishing precaution.