X

OpenID has a potential cure for Website password overload

Rafe Needleman Former Editor at Large
Rafe Needleman reviews mobile apps and products for fun, and picks startups apart when he gets bored. He has evaluated thousands of new companies, most of which have since gone out of business.
See full bio
Rafe Needleman
3 min read

On my computer, I keep a Word file where I store my various Web site passwords. It is 102 pages long, because every time I visit a new site that requires a login and password, I write the combo down in my file.

This has got to stop. For one thing, it is terribly inconvenient. I'm sick of filling out a form when all I want to do is experiment with a new service. For another, it's unsafe. Not only does my one Word file hold almost all my passwords (I keep bank and commerce passwords separate), but since most of the passwords are the same, should one of these services get hacked, the password uncovered would give access to dozens of other sites. Sure, there are software utilities that can create and track unique passwords for me (like RoboForm, which I've recently started to use), but I wager that most Web browsers use the same user ID / password combination at every site they visit.

There's an emerging solution to this, called OpenID. The concept is that you create one master identity online, at a site that you use a lot and tend to remain logged in to -- like a social network or your personal blog. When you need to identify yourself to another new site, you point that site towards your main identity-providing site, where you're already logged in. You main site sends the new site login credentials, so the new site now knows who you are.

For users, it's not a dissimilar concept from Microsoft's failed Passport scheme, but there is one key difference: There's no one site that holds all users' identities. Any site can become an OpenID provider, and users can choose one they trust. Don't trust Google? Then how about eBay, or perhaps MySpace?

OpenID was created by Brad Fitzpatrick, now at blog company Six Apart, as a way to link users on the various Six Apart platforms together. It's been primarily used so far to verify the identity of people posting comments on blogs, but it can be use more generally. For example, the photo sharing site Zooomr [blog post] uses OpenID as a login method. Wikipedia has a list of other sites that use OpenID.

If you don't have a personal page or don't use a site that serves up OpenID authentication, you can create an identity at myopenid.com. Hopefully some big sites that are popular with consumers will become OpenID providers.

One weird thing, for new users, is that instead of logging into an OpenID-using site (like Zooomr) with a user name and password, you just give it your personal OpenID URL -- and no password. Then your browser pops over to your authenticating site (like myopenid.com) to verify that you want to use your persona on the new site. This is bound to initially confuse people, and since users may not be asked for a password, it can also appear to be less secure, although it is not.

OpenID is not yet in wide distribution among consumer sites, neither is it yet simple enough for most consumers to use. But it's a very big step towards solving the problem of Web password overload, and I hope it evolves quickly into a consumer-friendly identify management platform.