Imagine never having to remember another username and password again.
That’s the promise of OpenID, which aims to eliminate “the need for multiple usernames across different websites, simplifying your online experience.” Instead of signing on to a website with a username and password, you can sign onto OpenID-capable sites using a URL (like yourname.myopenid.com).
You may be surprised that you already have an OpenID. Yup. If you have an account with Yahoo, Flickr, AOL, or one of many other sites, you already have one. Microsoft and Google made news this week by announcing support for OpenID.
On the next Spark, we’ll take a look at OpenID and how it can be used to manage your online identity. We’ll also look at some of the security concerns, such as phishing (thanks Ryan) that crop up around this kind of federated login system.
What do you think? Do you have more usernames and passwords than you can remember? How do you manage them? Leave your comments below, or call them in to 1-877-34-SPARK.
In my experience, the problem is that numerous websites *offer* OpenID logins to use elsewhere, but not that many that *accept* other sites’ logins. I think this is the plan for Microsoft’s upcoming OpenID “support” – their website doesn’t change, but you’ll be able to login else with your Hotmail account. That’s not really helpful.
When I have used OpenID successfully, it’s pretty underwhelming. For unimportant logins (not email or banking), I always use the same login and password, so it doesn’t save me anytime that way, and you still have to create a profile at any given new network, so in the end, I’d say you save ~5 minutes.
I am a photographer and I like to comment on various blogs and image sites on a regular basis. With my Flickr/Yahoo ID, Facebook, Myspace, blogger/google, typepad, livejournal, and probably four or five others out there I have forgotten, along with some site specific user name/pass combinations, it is a bit much at times.
With blogs remembering more and more comment poster information and having the word verification random letters script to post, it does make it easier. But my concern is that with one OpenID, that means if someone phishes it, you could have ID theft situations everywhere, be locked out of all your sites, or have someone posting as if they are you.
I resist using the same username/password combos for all sites for that reason. Makes it tough sometimes, but I can usually reset a password if need be.
I use Google, Flickr, and Yahoo!. All three of these services provide me with an OpenID, but they don’t allow me to sign into their services with an OpenID. That doesn’t sound like support for OpenID to me. Until the movers and shakers of the Internet start _accepting_ OpenID in addition to providing it, OpenID just won’t deliver on its promise.
When it comes to phishing, it really does come down to how the provider protects you. My provider displays an icon I’ve selected to confirm that I’m actually on their site. This is the same thing my bank does. My provider also supports CallVerifID, so it can phone me to authenticate my OpenID. This is particularly useful in mobile situations.
I can imagine how people can fall prey to phishing if a provider doesn’t implement anti-phishing measures. The OpenID standard should adopt specific anti-phishing measures to ensure a common level of protection across all providers.
I remember my passwords by writing them down. And before anyone panics, I don’t write down the *whole* password. I use a sort of formula to create passwords based on things like names of people I know. I write down the name, for example, but unless you know my formula, you would never figure out what the actual password is. I find that to be the most secure way of remembering passwords.
I have a quick-and-dirty password memorization scheme. All of my passwords are different words from a category of items (such as, but not actually, fruits, flavours of ice cream, types of wine, etc), then I use the first letter of the website as the first letter of the password to remember each one (so, Google is “grape”, Photobucket is “prune”, etc). Works for me!
One of the reasons I’m in the process of upgrading http://digitalcopyright.ca to the latest version of Drupal is that OpenID is now part of the core of Drupal.
I think this is just the beginning of OpenID. I use http://mcormond.blogspot.com/ to sign into other sites as I already had a Google account. As already said, now we need more sites to accept OpenID rather than just host them.
I’ve become a heavy social media user during the past year; I have accounts on Twitter, FriendFeed, Google, Yahoo, Digg, Reddit, StumbleUpon, Mixx, and at least two dozen other websites. That doesn’t include online banking, eBay, PayPal and who knows how many other websites.
OpenID, on the surface, is a really cool idea. Quite frankly, I should be using it far more than I do. However, when it comes right down to it, the OpenID url is longer than my standard user ID – I normally use my actual name for a few reasons that aren’t that interesting :: cough :: vanity :: cough :: branding :: cough ::
My name is shorter than my OpenID url, which also happens to include my name. So I’m a bit lazy. I suspect that as I join more services (which would qualify me as even more of a social media addict, but knowing what you are is an important step forward, right?) I’ll gradually use OpenID more and more. Right now it feels a bit clunky. Still a very good idea, though.
As far as passwords go… well, to be honest, I could be a whole lot better at doing this. However, if I describe what I do in any detail, I’ll be creating a security risk for myself, so, um, I probably don’t get more than a C grade for this. At least in social media passwords.
Looking forward to this show!
OpenID is a good thing in theory but until Microsoft and Google actually allow you to use “your” own OpenID to log into their web properties it doesn’t have enough traction. As for identity theft one solution to negate someone from impersonating you would be to use a hardware token to generate one-time passwords for authentication. Something like the YubiKey from the Swedish company Yubico.
I have, I think, 3 openids. Plus a plethora of usernames. I use KeePass (http://keepass.info/) to store my passwords on a usb stick (plus backed-up). Once keepass is running, I don’t have to type in a username/password at all, but hit alt-ctrl-a to have it “auto-typed”.
I tend to use the same username/password for most websites,except for banking and other ones equally as important.
But I haven’t always followed this rule which means I sometime forget my login info, so when I was at the Halifax airport one time I saw this little journal for email and websites and now I always write down all my logins there just in case.
Rather than using openId I’d recommend 1password,
http://agilewebsolutions.com/products/1Password
Been using this software for more than 6 months now and it’s really great.
Love the Show
I heard the OpenID piece today and I think it REALLY missed a huge point. Companies like google, hotmail et al. have varying EULAs that permit them to harvest some or all of the information you give them including gmail and its famous wholesale scanning of email content.
These EULAs are obscene and people are blindly giving away a lot of their privacy for no real benefit.
Do you really want to use an “openid” through a company that may through their EULA allow them to harvest all your information from sites you access?
I don’t see any reason to risk using an Internet based password manager such as OpenID. Why not use a password manager that runs on your own home computer. That way you never have to worry about phishing or other methods that may be used to steal your information. I use the password manager that is built into my computer “Keychain” (for my Mac). It works great for remembering all my passwords and my software registration information. Better still, I don’t have to “trust” some unknown entity. There are many password managers out there to choose from. OpenID seems like a waste of time.
I rely on old-fashioned technology, I write down all my pwds and names down in a notebook. I’m not involved in international espionage so I’m not worried about a break in.
I don’t like the idea of OpenID because if someone hacks it online, then all your password sites are in jeprody. I’ll stick to the pen as back up. I won’t even put the info on my computer.
I use a GPL Palm application, called STRIP (Secure Tool for Remembering Important Passowrds) http://www.identicentric.com/products/strip/index.html
to generate and remember my passwords. I currently have 274 different passwords. STRIP will generate passwords that contain Numeric, Alpha-Num or Alpha-Num w/Meta characters, 4-32 characters long, at the tap of a button. The pasword database is encrypted with 128-bit AES, and stays encrypted when I back my Palm up. STRIP has carried my passwords for over 8 years, and through 5 Palm Pilot replacements.
I dislike the idea of OpenID – it’s a Big, Juicy Target (once you can fake OpenID, you can fake anything).
Walt
In this day and age, it’s not being paranoid to be concerned that password managers could be hacked or could even be secretly sending your passwords, usernames, and other info to someone.
How many of you who use a password manager and a firewall routinely authorized the firewall to allow the password manager to access the internet after installing it? Now that it can do so, do you know if it’s ever sent any info anywhere?
I don’t care how much the companies that make password managers claim their product won’t do that, there’s still no guarantee it won’t be hacked. Even a one in a million chance of that happening isn’t too small when computers can query vast numbers of other computers in seconds.
Memorize your most important passwords and write down the others in a way that someone finding the piece of paper won’t know what it is.
Passwords are for security, yet too many people put them at more risk than their systems would be without them.
Like Glenn I also use a password manager running on a USB flash drive that is on my key chain. Pretty geeky but it allows me to forget all my passwords and use the program to copy ‘n paste ‘em. When I sign up a new account I generate a new random password. The entire password database is encrypted and requires a password to get into it, so if I lose my keys the database is useless – I can’t say the same for my car though! Check KeePass out for free (GPL):
http://keepass.info/
There are OSX and Linux versions that are compatible with the database as well.
While OpenId seems like a great idea, it all boils down to one password and a hackable database.
I’ll stick with “Roboform”…I’ve been using it for four years now without any issues, and it also fills in all of those pesky forms like the one for this comments section.
Like everybody else, there are too many openid providers, and not enough openid consumers. I just updated our Mac user group site to accept them, but I’m still in a pretty small minority.
I would like to point out a common fallacy going on here though. That old ‘sticky note on the side of the monitor’ thing isn’t as bad as people make it out to be. Put it in your wallet instead and it’s a better system in many ways than anything that you keep on your computer itself or through a third party. People have a billion years of evolution to help them keep track of physical items that are important to them, and they generally do a pretty good job at it, where as computer security is a lot younger field…..
OpenID allows delegation. If you have an existing website you have control of, such as a blog, you can tie your OpenID to the URL of your blog. To make OpenID more secure, use it conjunction with a one-time password generator such as the YubiKey. In this scenario, even if someone were to use my OpenID they can't do anything with it unless they physically have my YubiKey. And even if they managed to swipe one of those 44-digit AES hex-encoded passwords it would be useless to them because they can only use it once. If they wanted to use the OpenID again they'd have to generate another OTP and they can't do that without that specific YubiKey.
PHPDug Social Poster enables you promoting unlimited number of domains on autopilot. Moreover, software not only bookmarks domains automatically, it also creates unlimited number of social accounts automatically! Domains and accounts are rotated randomly, so each your bookmark looks like posted by real person! Get ready for massive traffic – PHPDug Social Poster will start sending thousands of real visitors to your websites today!