Difference between revisions of "Using OpenID"

From strattonbrazil.com
Jump to: navigation, search
(Why Username/Password Authentication Is Bad)
(Why Username/Password Authentication Is Bad)
Line 7: Line 7:
 
The talk examines some behaviors among users that are forced to make a username/password.  First, making username/password's for every site is laborious.  If the user comes to your site and sees they need a create a user profile with a username and password, often times they just leave your site.  Why?  It's hard to create a new username and password for a site that may be a one-off use.  Some sites make it even harder by defining very strict password policies guaranteeing that the user will not be able to remember their password.  In fact, some users will just fill the password field with random garbage and once they're logged in use cookies.  Once the cookies expire they just reset their password with more garbage.  This is all very laborious for the user.  Almost everyone has experienced the  
 
The talk examines some behaviors among users that are forced to make a username/password.  First, making username/password's for every site is laborious.  If the user comes to your site and sees they need a create a user profile with a username and password, often times they just leave your site.  Why?  It's hard to create a new username and password for a site that may be a one-off use.  Some sites make it even harder by defining very strict password policies guaranteeing that the user will not be able to remember their password.  In fact, some users will just fill the password field with random garbage and once they're logged in use cookies.  Once the cookies expire they just reset their password with more garbage.  This is all very laborious for the user.  Almost everyone has experienced the  
  
[[File:fry_username_password.jpg]]
+
[[File:fry_username_password.jpg|center]]
  
 
Even worse is when users don't use unique passwords.  They implicitly trust you with their username/password, which may be used elsewhere.  Sure, it's their fault for not using unique passwords, but it's also your fault for taking them in the first place.  Getting username/password combos hacked is horrible PR.  When you accept them you have to then spend time and resources to make sure they're secure on your site.  What are you really getting from them that makes them worth the trouble?
 
Even worse is when users don't use unique passwords.  They implicitly trust you with their username/password, which may be used elsewhere.  Sure, it's their fault for not using unique passwords, but it's also your fault for taking them in the first place.  Getting username/password combos hacked is horrible PR.  When you accept them you have to then spend time and resources to make sure they're secure on your site.  What are you really getting from them that makes them worth the trouble?

Revision as of 03:06, 16 August 2014

The talks at OSCON 2013 were hit and miss--something I've heard is fairly normal for tech conferences in general--but I definitely came away with a favorite. "Reducing Identity Pain" by Tim Bray was a forty-minute session on how to unique identify your users without requiring a username and password.

Why Username/Password Authentication Is Bad

The talk examines some behaviors among users that are forced to make a username/password. First, making username/password's for every site is laborious. If the user comes to your site and sees they need a create a user profile with a username and password, often times they just leave your site. Why? It's hard to create a new username and password for a site that may be a one-off use. Some sites make it even harder by defining very strict password policies guaranteeing that the user will not be able to remember their password. In fact, some users will just fill the password field with random garbage and once they're logged in use cookies. Once the cookies expire they just reset their password with more garbage. This is all very laborious for the user. Almost everyone has experienced the

Fry username password.jpg

Even worse is when users don't use unique passwords. They implicitly trust you with their username/password, which may be used elsewhere. Sure, it's their fault for not using unique passwords, but it's also your fault for taking them in the first place. Getting username/password combos hacked is horrible PR. When you accept them you have to then spend time and resources to make sure they're secure on your site. What are you really getting from them that makes them worth the trouble?

A Painless Alternative

So usernames/passwords