My Hackergotchi

Updated: Never — Philip's Blog

Now featuring regular updates!

Sun, 15 Jun 2008

12:05 – Skeptical about OpenId

More and more websites seem to be showing that funny OpenId logo and more and more people I know appear to be quite lyrical about the stuff.

Still. I'm a skeptical bastard. I wonder if OpenID is not a solution looking for a problem, like so many "Web 2.0" technologies.

Using the same username and password everywhere would of course be unbelievably stupid. If one site is broken (or run by a sneaky and enterprising individual), your identity is effectively owned.

I am still using the good old paranoid method of dealing with the plethora of websites that want me to create "accounts" and would like me to create a username and a password to log in to them.

Ever since the beginning of time, I've been generating different passwords for the sites that want them, and storing them in a file on an encrypted volume. Over time, of course, that list has become rather long:

% grep http /cryptostick/keys/passwords.txt | wc -l
207

Many of the sites in that file, I've probably not visited in the last many years, some of them probably don't exist anymore. Not a problem, the amount of data I'm storing about them is probably on the same order of what I once told them about me: very little.

So back to OpenID: if I understand it correctly, it would replace this simple plain text file I keep on an encrypted volume with a whole infrastructure of XML-communicating "things", any of which could possibly break, any of which would be - like anything XML - hideously difficult to debug and, most importantly, like any "web technology", unbelievably volatile and subject to becoming obsolete at the drop of a hat.

I can think of any number of other things that can and will go wrong.

It's a "web technology". People rely on PHP and other security holes, and we all know what happens to infrastructure built on a foundation of wet tissues. After a couple of months, some bright spark comes up with "2.0", also built on wet tissues but now they're "layered". Or something. Try to follow the metaphor.

In any case: either your identity is completely and utterly up for grabs, or you've invested a lot of time (and possibly money) in a very complicated (though probably very pretty) infrastructure which is now completely obsolete.

At the same time, my trusty text file on its encrypted volume (with its backup on dead tree stored somewhere physically secure) celebrates its tenth birthday and still works as well as the day it started as an empty file.

I'll stick to "Web 0.9", thank you. I don't think I could handle the stressful life of "developing for the web". It's so much more relaxing in the kernel, where standards develop at glacial speeds. bliss.

[ category: /life | 6 comments on this entry ]

It's good for low security stuff such as commenting on blogs.
Besides nobody says you have to use passwords with OpenID.

It's perfectly possible to use other means of authentication,
such as InfoCards , gpg keys, whatever...

Posted by TimothyP at Sun Jun 15 13:09:54 2008
I don't know how OpenID in particular works, but other "centralized" authentication frameworks (like Kerberos, for example) don't necessarily put your password at risk if one of the sites that use it gets compromised, because those sites/servers merely exchange (short-lived) "tickets" with the central server and never see your password themselves.

Posted by ghen at Sun Jun 15 14:10:15 2008
TimothyP: Doesn't it strike you as being a bit disproportionate, then, to set up a complicated infrastructure simply for "low security" things like commenting on blogs?

Ghen: Well, yes - I know how Kerberos works.  Kerberos is a well-established authentication mechanism and a number of thoroughly verified implementations exist.  OpenID feels like a reinvention of Kerberos for a platform which doesn't need it.  Hence the bit about a solution looking for a problem.

With my long list of randomly generated passwords, I don't have to worry about anyone seeing my password either: the 'damage' is limited to a single site.

The only drawback of my approach is that I have a manual lookup when I need to authenticate.  This is mitigated by Mozilla's password manager which helpfully saves the passwords I want it to save.

Posted by Philip Paeps at Sun Jun 15 15:04:47 2008
I hate your fscking comment system. At least tell me which words are blacklisted, how long your timeout is for entering comments etc. I'll not repeat my rant about the captcha.
Anyway, I have this really long and interesting comment, but your comment thing rejects it.

Posted by Zombie at Sun Jun 15 22:43:19 2008
> The only drawback of my approach is that I have a manual lookup when I need to authenticate.
Have a look at pwsafe. It's in Debian and compatible with Schneier's Password Safe, it's a command-line stuff and can send the user+pwd to both clipboards (the "middle button" and the ctrl-V) in a smart way (you just paste twice and it's gone from the clipboard buffer).

For OpenID, I like it but/because I'm running my own authentication server ;-)

Posted by Philippe Teuwen at Mon Jun 16 18:53:48 2008
I second zombie.  i've already given up a couple of times before.

Posted by elise at Mon Jun 16 21:19:53 2008

Name:

Email:

URL:

Comment:


Prove that you are not a spammer: