I've been following the progress of Stack Overflow since it's announcement on Jeff and Joel's blog, and one of the things that has irked me is that they've decided to provide authentication to Stack Overflow only via Open ID.
So for those who don't know what Open ID is, it's easiest to explain by providing an example. So lets say you want to register for Stack Overflow with Open ID.
The first step would be to pick a provider, i.e. Claim ID, where you register a name, password, email address, etc and at the end of your registeration get an endpoint (i.e. http://claimid.com/fooUser).
You'd then log into Stack Overflow and instead of creating an account you provide your Open ID endpoint (http://claimid.com/fooUser) and Stack Overflow will redirects you to Claim ID where you would log in with your Claim ID name and password and select the "trust Stack Overflow with my details".
Claim ID will then redirected you back to Stack Overflow and that's it, you've created an account on Stack Overflow.
So the advantage is that once you have an Open ID, creating accounts is really easy as all your details are stored on your Open ID provider and all you need to provide is your Open ID endpoint.
It also means that if you should want to log into another site, you'd just navigate to that site, put in your Open ID endpoint and you don't have to type in your user name and password as you're already authenticated with your Open ID provider.
What that essentially means though is that now you have a single name and password to log into all your sites. GREAT!
Wait a minute? Isn't having the exact same name and password for all your sites considered bad practice? And not only that, isn't there already a way to log into sites using the exact same name and password, which is BY CREATING ACCOUNTS USING THE EXACT SAME AND PASSWORD?
Subscribe to:
Post Comments (Atom)
About Me
- jklp
- Melbourne, VIC, Australia
- Jerrold is a recently migrated Melbourne based software engineer with roughly 5 years experience developing in Java and the web technology stack (HTML, CSS, DOM, JavaScript, etc). More recently, he's started developing in Python (well, Jython, but close enough) and is unsure if it's flaws outweigh its advantages of having a more sugary syntax. He is currently working at a small South Melbourne based company which specialises in sales incentive management / reporting software, and is being schooled in the finer points of small company operations.
3 comments:
> isn't there already a way to log into sites using the exact same name and password, which is BY CREATING ACCOUNTS USING THE EXACT SAME AND PASSWORD?
No. Because there is only 1 provider who you can presumably trust, applies sound security practices, etc (in part due to the scale they intend to support) it's probably safer trusting that one site with your username and password than it is trusting 10-15 sites with those deatails. Those sites might range from PayPal to a forum site... who don't hash passwords... who get hacked... suddenly someone has your username and password and takes a guess that you have a PayPal account, which can access your credit card and...
Sure there can be dodgy OpenID providers too, but since they compete on this service they'll probably take steps to ensure they are trustworthy. Which isn't really an issue you think about when you sign up to some random forum (and it's possible that the providers of that forum don't think about it either).
Your discussion of OpenID also talks about how it's currently implemented, not the idea. The idea is you have one ID with a password and a trusted provider verifies your identity. Right now the way it works might be clumsy, but in 2-3 years the interaction might be completely different.
Plus you're ripping off Ted Dziuba.
Thanks Walter,
I haven't seen that post before but had a good read of it and it looks like it's nearly identical to mine.
You mention trusting 1 site instead of 10 - 15 sites. If following best practices and using a different password for each of those sites, doesn't that mean that if 1 site is compromised then only that site is compromised?
You still haven't answered the question though, and what problem is Open ID trying to solve?
The problem is - you have multiple sites with multiple passwords and then either:
You have so many usernames and passwords (or at least passwords) that you forget your passwords. That can lead to problems.
or
You use the same password everywhere. Now your password is only as secure as the least secure site you've registered with.
Sure browsers provide password managers, but they're storing those credentials on your hard drive, so there is a risk that someone could get at that information too (and your computer is only as secure as the least secure person who uses it :D).
The above represents "the problem" with username/password based security as it currently works. The idea with OpenID is that web sites can hand off the tricky task of authentication to a 3rd party and now the least secure authorising party is an OpenID provider who presumably take a lot more care and has a lot more knowledge than a dodgy forum site (win for provider) and you don't have to remember multiple passwords, use the same password in multiple places or store your password on your hard drive (win for user).
Post a Comment