OpenID is Hard? So is Changing Your Password Every 3 Months.
I’ve had the great fortune of working at two consecutive companies that force you to change your password every 3 months. Whenever the rollover date hits, I change EVERY password that I use.
Today happens to be that day.
Much to my amusement, I also happened to run across an article that states that OpenID is too hard for everyday use.
Absolutely! I couldn’t agree more. They still need to jump a gigantic new user hurdle. However, the alternative also sucks: changing your password for every service you use. So far today, I have changed the following passwords:
At Work:
- Two local computer passwords
- Two network passwords (one Unix, one NT).
At Home:
- One Vista machine.
- One Ubuntu laptop.
- One server-edition Ubuntu machine.
On the Web:
- jakevoytko.com x2
- Dreamhost
- Dreamhost MySQL (different password than the rest, naturally.)
- AOL Instant Messenger
- Amazon
- Windows Live (once I remembered which domain I used to register. This service plunges further onto my shit-list every time I use it).
- Internet provider
- Insurance provider
Special Passwords: (I.E. Don’t allow symbols)
- Verizon
- Digg
And I probably still have more to go! The good news is that a lot of sites seem to be converging on standards for passwords. Probaby 65% of the web-based passwords were in a section marked “Account Information” or “Profile.” Some were hopelessly buried.
OpenID may be hard, but they are taking a big step in the right direction. This is the web usability area that impacts users most
Ironically, one of the passwords I won’t be changing is OpenID, since the only time I used it, I used a throwaway password on a throwaway account that I don’t remember anymore 
. Doing this for the 5th time in a row is certainly encouraging me to sign up with OpenID and get another password to add to the list!
Popularity: 9% [?]
Reader Comments
Jake, I applaud your vigilance in changing all of your passwords at once when the digital powers that be at your work command you to do so. I just wish there was a better solution since it is out of hand how many passwords there are to remember in this day and age!
Nice post, I think you make very reasonable points regarding passwords and OpenID usability.
I work for Vidoop and we have a OpenID provider at http://myVidoop.com that also has a integrated password manager that will store all your online passwords. You can store your passwords locally or with myVidoop. If you store your passwords on myVidoop then they are accessible from anywhere.
All your data is protected by our two-factor authentication ImageShield, which is phishing, man-in-the-middle, and shoulder surfing resistant. Using our ImageShield a random access code is generated every time you login. Also many studies have shown it is easier to recognize image categories than recall a complicated password.
We have an excellent video describing how our ImageShield protects your data here: http://www.vidoop.com/products/overview
For my personal solution I keep a copy of FireFox portable on a thumb drive, along with the plugin installed and password file and have a completely portable solution that I can plug in anywhere. Once I am done I just unplug the drive and move on.
It is also worthwhile to note that OpenID is only a component in the identity stack, there is an excellent description of everything that goes into someone’s identity beyond OpenID here: http://blogs.oracle.com/talkingidentity/2008/05/05
Hope this helps,
Kevin