Hi again, everybody.
I just had to defend Scarecrow’s use of old-style usernames and passwords. Not to my boss, because I don’t have one of those here. It was just a conversation. But it’s a conversation I keep having, and maybe some of you guys do too. So here are my thoughts on the online password problem.
What problem? Well, how many accounts do you have on unrelated websites that all use the same username and password? Don’t tell me–I’m just going to assume the answer is “several.” Obviously this isn’t a good situation. If a hacker or unscrupulous employee gets your information, he may exploit it.
There are several proposed solutions. Browsers now track our usernames and passwords on the various sites we visit, so we’re somewhat more free to choose hard-to-remember passwords (though on that subject, this is interesting, funny, and useful). Downside: they’re only stored on the computer we used to set up or access each site. There are various workarounds to share this information, but they won’t work on all the computers we use. In short, this is a hassle. Trusting some online provider to securely store all our credentials, so we can get to them regardless of where we are, has an obvious risk to it, too.
(Here’s a story: A very savvy friend told me about the system he’d purchased to encrypt and save his passwords. I thought: Cool! And I congratulated him on solving the problem for himself. It sounded like a hassle to me, but this guy has access to a lot of systems that do important things, and I guess I admired him for taking this seemingly straightforward but actually rarely-accomplished step. So now, I told him, his various accounts were safe from each other! His response: “Um. Well. Actually now I have this really secure system that records the fact that I use the same username and password everywhere.” I thought about that. “Oh,” I said.)
So some people think everybody ought to just cut it out, and use a single sign-on for most or all of the sites they access. By this I mean people like those who contribute to or use OpenID, which sounds like a great idea until you think about it a little, at which point it begins to seem like a semi-good idea. Basically the notion is that you’d only log in to the one system, and other sites would defer to its authentication protocol.
It sounds great. The idea has its good points. In fact, I think a lot of site developers, administrators and owners would benefit by adopting it. But if a user is going to store private information with you, you are then trusting the provider of the authentication service in two separate but critical ways. You are also asking potentially unsophisticated users to trust you more than they may be comfortable with. The problems, as I see them:
- If the authentication service is compromised, so is your ability to protect your users. The more users choosing a given service, the more likely it is to be seen as a worthwhile target by hackers.
- If there are several competing authentication providers, as a business owner you can either trust them all or try to monitor all of their security issues or trust only some of them. There are obvious issues with all three choices.
- If the authentication provider decides it doesn’t like you or your business, or changes the way it operates without what you’d consider sufficient notice, it may have just taken your customers away from you.
- If your potential customers are not familiar with this sort of system, or don’t trust that a “login” link provided by your site will not give you personally access to their OpenID credentials and thus all their other sites, you’ll either have to kiss those folks goodbye or…worst case in my opinion…also offer your own proprietary username/password system. And take a little credibility hit. Some folks may decide you’re just another “phishing” site. Ouch.
So people do stuff somewhat like this when they try to integrate with social networks. Even I may decide to make Scarecrow available as a Facebook app. There are obvious benefits. But…there are downsides, too.
Another idea: since most people surfing online have an email address, why not use that as the username? That way they won’t have to remember yet another username!
Okay. So what’s the point? There’s nothing magical about email addresses. Using them as part of your login credentials is precisely as bad (or good) as using any other username everywhere. Maybe a little worse, because it’s easier to guess by people who know you.
Plus, most folks who go that route then send out an email to “verify” the email address, and require their potential users to go check the address and click a link or navigate back to their site. What problem were we solving again? Uniqueness of usernames? Sheesh. Is it that hard to just, you know, check for uniqueness when users are creating them? In fact, even with all this rigmarole, don’t you have to check anyway? Just how many hoops should users be expected to jump through, again? Isn’t this whole practice really about–wait for it–making sure we grab an email address from our users? Whether they want to give it to us or not?
Okay, remember those pure, solve-the-world’s-problems OpenID guys? At the time of this writing, doesn’t this page say, under “Link your site to the social web,” that “protocols such as Portable Contacts can be used with OpenID to offer your site access to a user’s address book and friends lists.”
C’mon. That ain’t right even if it’s implemented as opt-in. Not at all.
Don’t get me wrong. I’m not saying I have a solution to all of this. I wish I did, but I don’t. What I’m saying is that Scarecrow is trusted with data that is important to our customers, and I don’t see a way around having to invest effort into protecting that data. It goes beyond username/password information, but it starts there.
So we may seem a little old-fashioned. Lots of recent college grads in Computer Science will not approve of the way we do things.
But I care about our customers more than I care about buzzwords and “standards.”
Okay. Now tell me how I’m wrong, and I’ll change my mind.
OpenID and human nature means that most peolpe will use the same URI for most sites, making it easy to track them and thereby eroding their privacy. An alternative is to disclose your identity provider, but not your identity. Essentially, you get your identity provider to provide credentials bound to the session id. However, a bigger issue remains, how do we avoid websites requiring the use of just a tiny handful of giant corporate identity providers. Certificate chains could provide a solution, e.g. enabling a website in Nebraska to accept the Swedish government as an identity provider. This raises significant social issues on an international scale.