OpenID Fan Club Is Shrinking 333
A.B. VerHausen writes "Even though there's a whole new Web site devoted to understanding and using OpenID, some companies are dropping the login method altogether. OStatic is reporting that the 'free Web site network Wetpaint announced recently that it will no longer support OpenID as a login option for its wiki, citing low usage and high support costs as reasons.' Apparently, fewer than 200 registered users bothered with OpenID, and the extra QA and development time doesn't make it worthwhile to support. This can't come as welcome news on top of the internal issues the article mentions the OpenID Foundation is having now, too." I've actually been quite happy with OpenID, since I have spawned far too many username/password pairs over the last 20-plus years, but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...
Local software solution instead (Score:5, Insightful)
What bothers me about OpenID. (Score:5, Insightful)
It Is Not Prominantly Displayed (Score:4, Insightful)
There's your problem, people don't know that OpenID even exists.
Re:Local software solution instead (Score:3, Insightful)
Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password. No OpenID required, just the Mac Keychain.
This works well if your always logging in to websites from YOUR computer... won't Open ID mean users can log in to websites from anywhere (Work, Friends house) and only have to remember the one user/pass pair?
Re:I Wonder Why... (Score:4, Insightful)
The popular library for PHP [openidenabled.com] is poorly documented. The API has each function documented (phpdoc), but nothing to actually get you started using the API. When we needed to do something other than the rudimentary sample code, it turned into a huge hassle. The API seems far more complicated than it needs to be.
Developers aren't going to adopt it much if they have to keep re-implementing the standard from scratch. OpenID needs to publish a well documented API for each popular language that might need it. That'll get the ball rolling faster.
Re:What bothers me about OpenID. (Score:4, Insightful)
The idea is dumb, it does put your eggs all in one basket because once someone has your login credentials they have your whole online identity.
If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit and people would think I am him because I am using his openID identity.
That's what is so damaging about it. Not only does it give a black hat login access to your personal information all over the internet, but it also allows you to create new information under the guise of someone else potentially ruining a person's life.
Not a login system (Score:2, Insightful)
It might also have to do with the fact, that OpenID was never supposed to be a general login system. At its bones, it's a homepage/URL verification protocol for the blogging community. And it's constrained to that, because URLs (no matter how shortened) are not *common*-user-friendly.
Re:a site that uses nothing but OpenID (Score:3, Insightful)
How is it more work to enter your username and password on one page instead of another?
Re:What bothers me about OpenID. (Score:5, Insightful)
Re:Local software solution instead (Score:5, Insightful)
Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password.
Rather than trust an external site with my security, I use OpenID on my home server that secures my single password in one place and never distributes any of my login information to other servers.
Re:a site that uses nothing but OpenID (Score:5, Insightful)
Yes, but the difference is that Passport has worked reliably for years and years now... 10 years, if I'm remembering correctly... and I've yet to flawlessly log in to anything using OpenID even once.
I have to admit, that after typing that post I went back to StackOverflow and they've actually fixed their faulty instructions for how to enter Yahoo IDs. (It used to read: my.yahoo.com/username which never worked, AFAIK. Now it just says to use www.yahoo.com and have Yahoo ask your username, which does appear to work.)
But look at it this way, availability-wise:
If you use OpenID with a delegate, you're dependent on your own web server working, at least one of your OpenID providers working, and StackOverflow working.
If you use OpenID with no delegate, you're dependent on your OpenID provider working, and StackOverflow working.
If they use Passport, they're dependent on Passport.com and StackOverflow.com both being working.
If StackOverflow had their own login, you only have one dependency: itself. Clearly this is the best option if you want to optimize for availability.
And what really makes me bitter here is that the goal isn't to make their website easier or quicker or more available to use, it's just a political campaign to increase the number of people who use some crappy, poorly-designed, technology. OpenID is too crappy to succeed on its own merits, so now we have website "activists" trying to force its use... that's crummy.
Re:Local software solution instead (Score:5, Insightful)
It's because everybody wants to be a provider (so they get all your valuable information from you, as well as your surfing habits from other web sites that use OpenID when you sign on using your ID), but pretty much nobody wants to just accept an OpenID login (as they wind up just sending valuable information to another company with no direct benefit to themselves [and they could care less about the customer's convenience]).
Re:What bothers me about OpenID. (Score:3, Insightful)
Honestly it's not that complicated http://wiki.openid.net/Run_your_own_identity_server [openid.net]
Re:Local software solution instead (Score:5, Insightful)
Frankly, I don't trust other computers. I try my best not to log on to online services when I'm not using a trusted computer.
I'm sure as hell not going to plug a USB drive with my password database into an untrusted computer.
Nobody does (Score:4, Insightful)
That is half the problem. It isn't an intuitive way of logging into a website. Since the days of timeshare computers, people understand "username / password". Nobody understands "URL => ????".
If you were to ask me to write the OpenID obituary, the biggest reason the protocol failed was the decision to use a URL instead of an email address. Every other failure was secondary to that one.
Plenty of effort, too much selfishness (Score:3, Insightful)
Effort was never the issue. The issues are:
a) Selfishness. Too many sites allow you to use their database to log into others, but not use others to log into theirs. Seems the big players want to be the ones owning your data, just like MS tried to own logins with its system... whatever that was called.
b) What does OpenID actually gain you? You still have to enter login details. It's just a URL instead of a username. Others have said this above too, but what's needed is something like a wallet: infocard or a keyring manager, which keeps track of all your details on your machine, and extends your single desktop sign-on to websites, so you don't need to log in at all. Most of this tech is available and implemented, with firefox's password memory, and desktops' wallets. Unfortunately, again, people are competing to control this, instead of focusing on an open system. An open, Infocard system for GNOME/KDE and other desktops (all equally supported and native), which presents web logins as "Here's your wallet. Select which ID card you want this site to use" would nail this problem easily.
Um (Score:4, Insightful)
The Magic URL (which is magic, actually) *IS THE USERNAME AND PASSWORD*. That is the whole point of OpenID. A website leaves the username/password business to some other guy and just trusts the protocol to make sure the Magic-URL is legit.
If you've hacked RMS's OpenID account, you can just go to any OpenID site, even if he never visited it before, and start impersonating him. That is the "benefit" of OpenID! Most of the OpenID authenticated sites out there dont have a concept of "sign up", you just go to the site, plug in your Magic URL and start doing shit. There is no email confirmation step on those site, and if there was, it would kinda defeat the whole purpose of OpenID in the first place.
And if I'm wrong in my interpretation of this, please send me to a URL that actually explains how the damn thing works. Nobody gets it and if the OpenID guys can't explain it clearly, they probably dont get it either.
That is a bug, not a feature (Score:5, Insightful)
Lets say I've hacked your OpenID account. Now I can go visit sites like StackOverflow and post as you. Since they dont require email verification when you "sign-up", it doesn't matter if you had an existing account with them before I hacked you. I can go anywere that takes OpenID and "silently" impersonate you regardless of if you used the website before. No email verification means you'd probably never know it either. Well.. until you google "AvitarX" and find yourself posting horse porn on some OpenID site.
Re:Local software solution instead (Score:5, Insightful)
And this is exactly why OpenID never caught on. You implemented it the only way it makes sense. For the vast majority of people this is too much. For companies requiring a login, they garner no information about who is visiting their site so they have no incentive.
The combination of the two means no one wants to accept OpenID and it is too painful to truly use securely. Whereby securely means, no user information released.
This depends (Score:1, Insightful)
Are you talking gmail, or a corporate email account? If you have an email provider you can pick up a phone and call, these kinds of attacks don't exist. Sure they compromise your account, but you just call IT and have them un-compromise it.
Which actually says to me only a fool would register his OpenID account under a email account where you *can't* call the provider. If you bind your "mega-important OpenID account" to bob@gmail.com, you are gonna get screwed if the email account is compromised.
Re:Yet another OpenID flaw (Score:1, Insightful)
That's like asking "why should I trust HTTP to authenticate my users?". You're confusing the protocol with the sites that use that protocol. "OpenID" isn't authenticating your users, their providers are.
The same way you can be sure that any given one of your non-OpenID users hasn't been compromised when they log in the old-fashioned way: not at all.
I don't know, but it's got to be less than when you are the one who owns the authentication mechanism that got compromised. Either the user fucked up or their OpenID provider did; you literally can't be at fault for the breakin.
"User", I guess? I don't think there really is an OpenID parlance, at least not for this.
Of course their account is with you. You're still (presumably) requesting and storing the same information as before, and doing the same things with that information.
Re:Local software solution instead (Score:3, Insightful)
Just use password gorilla everywhere since it's available on mac, linux, and win32. That's why I have. But in all honesty, I don't really use it. It's frankly too much of a pain to fire up another program,log in, search, copy and paste the login and password, and the close the program. So what do I do use? Unencrypted plain text files named after domains, all stored in a handy directory named dont_look_here .
Seriously.
Re:Local software solution instead (Score:3, Insightful)
That's by no means a solution, as it ignores entirely the main reason for OpenID - avoiding registration.
Re:my fp list is growing! (Score:1, Insightful)
What the fuck is the "Read the rest of this comment..." link for if Slashdot already displays the whole goddamn 65 KB troll? That's 435 lines at 150 characters each.
Anonymous Security Expert (no!) (Score:2, Insightful)
Yeah, and how is he supposed to decrypt it, in his head? I'm assuming of course, that he's not Bruce Schneier [geekz.co.uk].
Re:Local software solution instead: shell scripts (Score:3, Insightful)
I'm surprised that /. geeks actually use specific tools to manage their passwords, when it's so much simpler and quicker with a couple of shell micro-scripts.
Shell scripts are harder to use if you have to cut-and-paste between them and the browser.
You provided a windows batch file as an example... on that terminal, you have to open the console menu and first select mark, then draw a block around the text, and copy the text to the clipboard.
The browser's built-in manager is very easy to use, and as such, is used the most frequently. If that starts to fail or strain, you then switch to the other tools, such as keeping a plaintext file or building a greasemonkey script.