OpenID: Does The World Really Need Yet Another Username and Password?

@Goran:
“OpenId lets you choose who you trust to authenticate you. Sites implementig OpenId simply do not care who you trust - that’s your responsibility (kiinda like your password is!). That’s why OpenId is a good idea.”

No, that’s one of the reasons it’s a bad idea. It means that if one bad site manages to get your password, then all sites you have a login to will be open to the bad site. In effect, it means that if you compromise the system, you compromise all sites a user has access to instead of just one.

Regards
Fake

@MDRisser: Try KeePassX (cross-platform open source port of KeePass Password Safe). The only issue is - how secure is your KeePass password? What if you lose your thumb drive? Will someone be able to crack your password by guessing it, dictionary attack, etc?

@Aaron G: Choice makes OpenID so great though - YOU get to choose a provider you trust, you aren’t reliant on just ONE company to do the right thing for you and being locked in if things go south. A decent OpenID provider will provide banking-grade SSL security and multi-level authentication, making it almost impossible to hack your account unless they either (a) have access to your computer, or (b) have access to you (ie., someone you know). Not even banks provide that level of security with online banking. You need to look around/into this more, because the lock as you refer to it, well it’s pretty damn good.

@PaoloB: Say you have 50 accounts. That’s 50 usernames, 50 randomly generated ~160-bit passwords to remember. Most people would struggle with that. (Obviously I’m referring to a security-conscious person here - not someone who uses a couple of usernames/passwords for everything!)

@JAtkinson: [] Clear cookies [] Clear form data OR use a different computer. uh oh. Plus, most websites that use the “remember me” option expire the login after a couple of weeks at most.

@Vinnie: Great point! And how often do we sign up for an account somewhere, then after a while… along comes the spam. They’ve sold our email address (indication of poor trust) OR their database has been hacked (indication of poor security). What’s to say that our password hasn’t been acquired as well. A decent OpenID provider will eliminate these issues.

@Keshi: That would be extremely rare. Almost never see a site change its domain name. Even if they did, a decent provider wouldn’t change the identity URI that people use.

@Christian Nunciato: Yes, but you still have that overhead every time you sign up for a new account of entering all those details YET again.

@Ian00: You trust a company every time you create a new account though… how is this much different. Except with what you’re alluding to, that trust is fragmented across possibly dozens or hundreds of sites instead of just one.

Everyone needs to go watch Simon Willison’s video, whether you love or hate the OpenID concept, whether you use it every day or don’t even know what it is. It answers all your questions.

Time to get off this merry-go-round!

@Eric Florenzano: Simon Willison hit the nail on the head with that presentation - it’s perfect. Everyone should watch it, especially the critics, it’s completely invaluable.

@bandini: Any security expert will tell you that this is a terrible idea. If your login details are compromised, then every single account you have will be compromised because they have your username and password. (Yes, I know what you’re thinking: ‘but with OpenID…’ - read on!)

Furthermore, half the time using the same login credentials don’t work. Usernames can often be taken, email addresses can’t be used as usernames on some sites, and password rules always vary. I always try to use 24 character passwords with combination of upper/lower-case characters, numbers, symbols - but some sites, even banking sites, will often only allow 8 character passwords.

Using an email address as the URI for your OpenID identifier would seem a logical progression, but email addresses often change. There are millions of people with free Yahoo!, Gmail, Hotmail, etc accounts - and these shut down after inactivity. Plenty of people (unintentionally) let them expire. Many others use their work email address for everything, but what happens when they change jobs? Email addresses are too transient. Something of a more permanent URI is needed - thus the URL. With delegation to your website or blog, you can have one address forever.

Regarding security, several of the “big OpenID players” are looking at security options that far surpass that of one username/password for every site / “email me my forgotten password” emails. eg., myOpenID uses CallVerifID to call you on your mobile phone when you log in. Client certificates are also an option, as are (CardSpace/InfoCard) Identity Cards. So with this particular provider, unless someone has your OpenID URI AND your mobile phone AND is at your computer to gain access to the client certificate (AND optionally the ID Card), NO ONE EXCEPT YOU will be able to log in to your OpenID account and any websites that you use OpenID to log in with. Traditional per-website login credentials simply cannot match this level of security.

Another example regarding security is the VeriSign Personal Identity Provider. You can purchase for about $5 (through eBay/PayPal) a fob that will generate a unique one-time use token for when you log in, in addition to your OpenID URI and password. Again, someone would need to gain access to your URI AND password AND fob in order to gain access to your account.

With awareness and adoption ramping up, it is simply a matter of time before this becomes the norm. People are afraid because this is something new. If OpenIDs were around in the early 90s rather than username/password/email login options, we wouldn’t think twice about it.

Find a good provider (myOpenID, claimID, VeriSign PIP are some good ones), have a play around, and enjoy. It does make life so much easier!

“There’s absolutely no way I’d put my banking credentials behind an OpenID”

Having my banking credentials behind OpenID would be great, PROVIDED that my bank also asked for my banking password AFTER I have logged on with OpenID. It would stop most risk of phishing as a fake banking site would make my OpenId ask me if I trusted the site.

(Also I would not have to remember by bank acount number.)

@Ian Ringrose: great point. +1 for me, but only if the OpenID provider had exceptional security (SSL, client certificates, multi-level authentication)

I agree with Fake.

The only way to solve it would be to have some sort of browser technology that encrypted the password before passing it to your OpenID server. So, when you create an openID, you give it a password, and it gives you a key that you put into your browser.

When you go to login, you press something on the browser, it takes the site name, your key and your password and creates a hashed value that the site would pass to the OpenID box to authenticate.

To be honest, you may as well use something like Keepass.

Are you sure OpenID is ‘Worse is Better’ and not more ‘Architecture Astronauting’?

I think multiple logins based an single email address is certainly the ‘Worse is Better’ solution.

I see some people talking about password repositories such as those built-in to Firefox, but as another person has pointed out, that’s no use if you move computer.

A middle ground is to use a password hasher add-on like pwdhash, password_hasher, or similar. These basically create a secure hash (numbers, letters, punctuation, etc) based on a master password and the domain-name of the site you’re accessing (e.g., gmail.com, livejournal.com, whatever).

For example, with pwdhash, all I need to do is press F2 with focus on the password field before entering a password, type in the pass then click the login button. The add-on hashes the string entered into the password box before the form is submitted.

If you’re not near a computer with the addon, pwdhash (and probably others) have a web-site that you can use to generate the hash and copy/paste it into a password field. Providing you have a fairly unique ID, then all you need to remember is one password, but all the sites logged into have different (and strong) passwords.

@anon: you should read the comments before posting. Someone already pointed out that this is not an option when using more than one computer. And lots of people do just that.

Regards
Fake

I also use 1Password… Yeah it doesn’t work on other machines, but they’re releasing on online version soon that will take care of that. I’m not sure I’ll use it, but I don’t really need it anyway. So, assuming I stay local to this machine, it’s going to remain a better solution than OpenID. (I’ve landed on a few OpenID sites - I chose not to use it.)

“Sorry! You will not be able to login to this website as it is using an older version of the the OpenID technology. Yahoo! only supports OpenID 2.0 because it is more secure. For more information, check out the OpenID documentation at Yahoo! Developer Network.”

The http:// prefix is not required, as per the OpenID spec. This at least makes it look simpler, eg.

http://mxcl.livejournal.com

vs.

mxcl.livejournal.com

My OpenID is thus merely methylblue.com.

The biggest issues in my mind, are the usability one, since users are redirected to a completely different site to log in - this is disorientating. And that there is a single point of failure, if my provider went down for a day, or much worse, forever, I’d be a very unhappy Internet user.

Which is one reason you should always delegate the OpenID through your own, or some other URL I guess.

Why bother with all that rigamorole when there is a perfectly good and elegant solution available for free (or cheap if you use it for a lot of passwords)?

I use a product alled roboform (http://www.roboform.com/) to store all my passwords and as a bonus it also has the following nifty features:

• When you do have to fill out a registration form, it remembers all your info and auto-fills it with one click.
• It will autogenerate and fill in a password so you don’t have to make them up for every site.
• It stores the PW list encrypted on your hard drive (or thumb drive) and optionally lets you have a single master password to get access to all your sites. Seems more secure than having your PW list stored out on an HTTP server somewhere.
• A side benefit I discovered as a web developer is that it makes it really quick to test web forms of your app so you don’t have to fill them out and re-fill them out over and over during testing.

This little cheapie widget totally changed my life. Despite “admin-itions” against re-using the same credentials, I used to do it just to keep track of it all. Now I have strong passwords even for sites where I could care less if someone hacked my account.

The point of openid is not to be secure or to help you to login to all your banks. The point is to save you time registering on 100 tiny little sites which all want you to register. Forums, blog comments, food sites, preferences, etc… things nobody cares to steal from you and you wouldnt care if they are… all require you to register, confirm your email, active, etc. All that pain in the ass is solvable with a single openid.

OpenID has never been positioned as replacement for failed MS passport. It’s just an easy way to “autocreate” and account on a site that supports it.

OpenID is bad for mobile users (i can’t see me typing those damn long OpenID-Urls with my cell phone) and bad for privacy:
I like it that i have multiple identities all over the web. What I say and do here does not have to be linked to what i say somewhere else.

All the people saying MS Passport/Live is a better, more trustworthy option to OpenID - it only works on MS sites. They used to allow third-party sites to accept Passports, but in like four years, they only had about 50 non-MS sites on board and so canned the idea. In a quarter of that time, OpenID has more than 100 times the number of sites on-board that can consume OpenIDs, and it’s growing daily. (okay, not entirely sure about the numbers, but they’re probably not far off)

if you can’t trust the providers available in the wild, you can run your own server : http://wiki.openid.net/Run_your_own_identity_server

Nice article cool!

Jeff,
As a web developer, I’m concerned about developer incompetence. I must confess that I don’t completely understand how OpenID is supposed to work, but I’m concerned that some naive developer is going to do something incredibly boneheaded and virtually give away my credentials. So, my question is this: how much work does a developer have to go through to support OpenId, and is it easy to screw up? Or does OpenId somehow idiot-proof the process?

Centralized usernames/passwords is a good idea, but I’m not sure why it has to be an ugly URL to use, username or email would be a lot nicer. And isn’t this pretty much what Microsoft is trying with their Windows Live ID? Until we get one standard for everything, I can’t see this working out really well.

How does this work with maintaining the login information for a user? Most of my sites require security roles which need to be checked on each page. I like to go back to the database on each page load to check these (I normally save session variables with username/passwords and then authenticate on each page)… I don’t feel really good about simply setting some field as “Logged On”.

I do have about 5 or 6 sites of my own, but this discussion has me thinking I should perhaps try and setup all those site to use the same login.