‘"the only password you need to remember is your Master Password"
That’s until you move to another computer, in which case you’re a little screwed (and lot’s of people log in on lots of different computers all the time).’
This is ture, but as someone else pointed out, just put Keepass on your thumb drive, that’s what I do and the problem is virtually solved, at least between the two or three Windows boxes I log into.
The problem with this approach is that I’m screwed when I login to a Linux or Mac box, which I do quite frequently as well.
What we need is a cross-platform app to run off of a thumb drive that will store usernames and passwords for us.
The security to this approach lies in that fact that YOU have control over your thumb drive, you’re not reliant on a third-party’s security or lack there of. You’re also able to use different usernames and passwords for different sites.
Hmmmmmm, I think its time for me to figure out how best to go about doing this…
I’d have to say that associating yourself with a strange but relatively short URL is not significantly different than with email. Email is a URL - we just don’t use the “mailto:” convention because the “@” syntax is unique among URL formats. Adding “http:” is a little extra typing, but the only real difference is that the position of the user identifier and host domain aren’t consistent in the definition of OpenID - but they will be consistent for the user, as your openID provide won’t likely change much.
Using the URL only seems strange to us because we are so used to using our emails as logins in so many places. I’m willing to bet that if you taught a new user how to use the OpenID format, they would adopt it as quickly as we have adopted any other convention.
My problem: I have multiple OpenID IDs. I had an account with Yahoo, an account with AOL, an account with Livejournal, and so on. So now I have several “single” sign-ons. There’s no obvious way to consolidate all of them together into the mystical single sign-on.
Personally, I prefer e-mail address. Because I own my own domain, every site gets a different e-mail address, and I use a catch-all to get them. This makes filtering a lot easier (sent to X@Y.com), helps see who sells my e-mail address (hey, I’m getting spam sent to X@Y.com. I wonder how they got X’s name!), and still gives me a rememberable, unique username for each site. Not all sites are as kind about username, though.
This has the typical e-mail-as-gateway problem. Essentially, I’m not sure how you get away from reducing passwords causing points of failure to be more important to secure.
“Perhaps the most compelling point Jan makes is this one: it is a bit odd to ask users to associate themselves with an arbitrary URL instead of an email address”
What’s the difference between yourname@someprovider.com and someprovider.com/yourname or yourname.someprovider besides the order? Both seem equally arbitrary. The only advantage is the standard formatting for e-mail addresses.
This may sound devilishly naive of me, but how is having to remember passwords a problem? Are we really becoming that lazy?
Case: A man stores all his valuable phone number contacts in his cell phone. He loses the phone and the SIM card. He no longer has the ability to contact anyone of import because he never learned those numbers. We now want instantaneous communication with everyone we’ve ever met, through IM, text messages, emails, message boards, chat lines, et al. But we don’t store any of this knowledge. It’s just more noise.
If a site requires me to login, and it’s something that is ever-so painful for me to do, I just won’t create an account. If it’s something important to me, then I do. I generate a random password in my PasswordSafe (one I don’t even know) and just pop it in there, unless a password is automatically generated by the system. Either way, I store it in my safe, to which only I have the key.
This is a long discussion about a non-problem. There is no login explosion. If you think there is, then you’ve created too many accounts. Take a break, go outside.
Say it with me: THERE IS NO LOGIN EXPLOSION. Unless there’s also a phone number explosion that we, as developers, need to contain. And an email address explosion. And a designer clothes explosion.
How much work does a developer have to go through to support OpenId, and is it easy to screw up? Or does OpenId somehow idiot-proof the process?
OpenId will generally be far more secure than the average developer implementation of username/password. Assuming you choose a provider that uses SSL.
My problem: I have multiple OpenID IDs.
How is that a problem? You have several different forms of identification in your wallet and house right now. Passport, driver’s license, birth certificate, credit cards, etc, etc. All useful in different (and sometimes very narrow) circumstances.
@Jon Raynor, you managed to answer your issues with OpenID with your complaints about passwords. OpenID can solve your password problems; your OpenID provider doesn’t need to use passwords if it has some other means of authentication.
I’ve got the impression that most people criticising OpenID here don’t really grok the concept. Jeff, perhaps you could write a bit more about it –or simply post a link to the Identity 2.0 talk by Dick Hardt (which admittedly is not OpenID but the thrust goes into the same direction). A lot of the complaints here – centralizing credentials, giving away trust or control, etc. are exactly the opposite of what OpenID might establish.
A lot of (if not all) the security concerns people are mentioning are answered by the Simon Willison video linked in the first comment above.
In particular, he points out that emailing a token to the user when they forget their password is exactly equivalent (as far as security) to using OpenID – in both cases you’re trusting your security to a third party that the user trusts.
So if you don’t trust a Yahoo OpenID, you shouldn’t email a “use this one-time token to login” to any Yahoo email address either.
I find it funny that so many people say “use the same username and password for all your sites!”… Yeah, you could do that for convenience, but that means you trust the owners of each of those sites to not try to use your same username and password on other common sites for their own nefarious purposes.
OpenId is great, it shouldn’t replace dedicated logins for things like bank accounts yet, but for the majority of sites out there, it’s a great concept.
One way to improve it would be to work on some sort of browser integration with it… Maybe make a Firefox Addon that handles the login a little better and more secure than just counting on the user to verify that they are redirected to their openid site and not a phishing site.
Personally, I prefer info cards over OpenID. However, neither is really ubiquitious.
This is why I use RoboForm password manager. Others in the comments have recommended simmilar. I don’t know any of my passwords but a few like my email and my bank. However, there is a portable version of RoboForm, RoboForm2Go which makes this all portable. You just plug your S3 USB key into any PC and roboform is attached to the browser.
There is also an alternative site, https://mashedlife.com/ . This place is similar to OpenID however the places you login to don’t need to support OpenId. It is like RoboForm but on the web. So, you don’t need your USB key. Of course, you have to trust them since they have all your passwords… but if you can trust an OpenID provider, why not them?
Hmm… I didn’t see anyone mention Password Composer (http://tinyurl.com/bhg3p). The passwords it generates aren’t cryptographically strong or anything, but nothing stops you from changing the Greasemonkey script if you need that. I have no idea what my passwords are anymore… and if I need them, I can ask for them to be displayed (click on the “*” while typing the password and it will be revealed in clear).
It also solves ICR’s problem: “That’s until you move to another computer, in which case you’re a little screwed (and lot’s of people log in on lots of different computers all the time).”
I just need password composer installed on Firefox on all those computers. It works by combining the master password and domain name… so NO password is stored anywhere.
I have three sets of passwords: one for sites I care nothing about, one for sites I care about, and one for high security sites such as banking, Amazon, and Ebay (and each of these is a little different).
I agree, I hate the process of having to create yet another account. Every single damn BBoard in existence seems to want me to create an account, sometimes even just to view the posts already on there.
I’d love to have a standardized system for logging in, especially across BBoards.
OpenID looks like it’s a bit too clunky to work, though. Microsoft Passport, as much as I hate to say it, looks like the better solution.
I second (or rather fifth, sixth, seventh) those who’ve pointed out KeePass (or its ilk) as a perfectly reasonable, safe, secure option for managing one’s passwords. The model’s a great one: I own the app, I own the password file (which is itself password-protected – symbolically analogous to my OpenID url), and it creates excellent, strong passwords for me – all I have to do is open, find, copy-paste, and I’m golden. It’s not one click, but it’s rarely more than a few. KeePass, essentially, is OpenID, only it’s in my pocket, behind my firewall, and physically locked up in my house, rather than floating “out there” in the cloud somewhere, waiting to be compromised.
Identity services like OpenID don’t seem to solve much of a problem, then. As users, we already have the option of using one username and password for everything. Better we don’t, of course – better (IMO, though it seems pretty obvious) that we keep our identities more, rather than less, fragmented, and hence more secure, if only for there being so many more locks to negotiate.
