Identity

usernames and passwords

2 comments

I just came to the sad realization that I have more different usernames than I have different passwords. Of course, as someone who likes to emphasize good security practices I probably shouldn't be telling everyone how hypocritical I am. But it gets better too. My usernames change more frequently than my passwords do.

Just thinking about the prospect of changing all of my passwords on all of the different sites and servers I use makes me shudder. So... instead of taking personal responsibility for my bad password habits, I will blame it on the whole username/password system and look forward to future authentication/authorization mechanisms that don't leave the security of servers and web sites I'm not responsible for in my hands, or at the very least, make it more transparent.

Why OpenID will fail. AKA OpenID disinformation time.

14 comments

I'm not sure how many of my blog readers know what OpenID is, or I guess, even who reads my blog anymore. But anyway, it seems like I'm reading about or hearing someone talk about OpenID every other day now, all of whom seem to be talking about why openid will fail. Actually... today I heard/read two people describing why OpenID will fail or why it's a bunk idea. One on a random blog, the other at a discussion lead by Cory Doctorow at SFU (which was an awesome discussion, btw). The reasons why OpenID will fail are usually the same:

  1. Privacy: If you use an OpenID provider for all of your logins then that provider knows exactly which blogs you read, which sites you visit, and which companies you shop from (assuming all the sites you use, use OpenID). That kind of information is very valuable to marketer and likely to get sold or stolen.
  2. Trust: Just because someone's identity provider says that the person logging into your site is Bob, how can you trust that the person is actually Bob. No large companies will every trust third party OpenID providers. Perhaps they'll become a provider themselves and you'll need to setup an OpenID with them. If all large organizations do this, you defeat the purpose of OpenID.
  3. Buy-in: OpenID is useless unless everyone buys into it. When even many technical experts have never heard of it, everyone will never buy into it, even if it is an amazing technology.
  4. Corporate control: OpenID is a solution for corporations to solve single sign-on problems and more easily gather user data, not a solution for individuals. It is not made for individuals, therefore even if it catches on it will be a Bad Thing (tm).
  5. Phishing: 'nuff said.

Those seem to be the most typical arguments I've read/heard. The corporate control one was a new one today though. So, why do I think OpenID will fail? One reason:

People don't understand OpenID or the problem it is trying to solve. Sure, maybe the people developing it do, but not the people who will be most influential in its adoption. Of the arguments I've heard and read very few have actually pointed out real issues with OpenID, and the good ones have mostly been demonstrating that the problems OpenID are trying to solve have already been solved in other identity technologies. Sure OpenID may not be the be-all end-all of identity on the net, and it's not trying to be, but OpenID may have no future if its scope and goals cannot be clearly articulated to the people who could be advocating it, instead of bashing it.

EDIT: Perhaps I was too subtle in this post, but just to clarify... the 5 points I listed above are not my arguments nor do I believe that they are valid. They are simply the most common arguments I hear against OpenID.