a companion discussion area for blog.codinghorror.com

Cutting the Gordian Knot of Web Identity


+1 for LastPass.


mmmm, I agree that something must be done, but your solution seems flawed to me… You have one password to rule them all, if someone gets your master password, you are screwed, he has access to all the sites ever.
I get that like this xkcd comic says http://xkcd.com/792/ (noticed how many things can be explained with an xkcd comic?), a lot of people use the same credentials for different sites, but that’s another subject.


+1 for LastPass,

The Security Research Team at the Cambridge University Computer Lab came up with a more radical idea to represent utopia, named ‘Pico’ ( http://www.lightbluetouchpaper.org/2011/03/27/pico-no-more-passwords/ ). Proposing a clean slate approach.


Another solution my guts believe is safe is (I have no formal proof) to replace


With the uid to be a huge random unique key.

TLS makes sure nobody can read the url, so your uid/ukey is safe on the wire.

Bookmark it.

Make sure your laptop is not stolen. (anyway…)



Lastpass does a lot of this for me, although when it does mess up, it dies hard. Thankfully they make it pretty easy to manage the accounts it stores, and can handle multiple accounts well.

  1. re. the XKCD - he ignores that many sites have a password length limit - and a few of them, at least, will be silently truncating, which makes a phrase worse than using linenoise.

Also, I don’t know about him, but in my world, the sites I care about all limit login attempts or speed, so you can’t brute force - the “1000 guesses per second” problem is solved by not having the same password on every account; use different ones on banking and Important accounts - none of which will tolerate that sort of behavior from outside, and a shitty generic one on useless sites like forums because who gives a damn about forums.

And lastly, the Bad People don’t care about my account. They care about getting “easy” accounts; the people who use “Password123” and the like are all screwed.

On your suggestion - I absolutely reject any centralized system where a single point of failure breaks everything and a single security issue compromises everything I do.

Have fun pushing it - I ain’t taking it.

I mean, sure, it makes your life as a website operator easier.

Good for you. Not my problem as a user, however. I don’t care about making your life easier (nothing personal!); I care about mine, and “magical browser-based just works once you give a browser your master super-password” is BAD.

I don’t want to have to give Someone Else’s Computer my Master Credential Authorization to, say, play Kingdom of Loathing.

No. Just no.


For those wondering about still needing to sign in to the browser or cloud service, this is where something like a smartcard, keyfob, or other physical authentication device would come in handy. They are unappealing in today’s world of separate accounts on every site, but under this scheme (when paired with a quality account recovery service) it makes a lot more sense.

I’m curious about how we would prevent a malicious (or temporarily hacked) web site from showing a specially crafted sign-in page to the browser, and having the browser send along your private information to the wrong place without you every noticing. It seems… exploitable.

Also: captchas are not appealing to me for this. But I reference my first point: combine it with a hardware security key, and maybe the hardware key allows you to bypass the captcha.


Couldn’t agree more. There has to be a better way. And, there very nearly is with OAuth. However, and this is a pet peeve, whenever I use a OAuth account to log in to a 3rd party site, they require far more entitlements than they need. Thus making me nervous, and resorting to site specific user/passwords.

To enable me to post this comment. I logged in with my Twitter ID, which asked fir the following entitlements (this is the actual text):
• Read Tweets from your timeline.
• See who you follow, and follow new people.
• Update your profile.
• Post Tweets for you.

What a joke!!!

A little more respect, and we’d already be there with a Internet identity.


I get that Jeff’s saying a browser standard and not a plugin like LastPass, but WRT @Christopher and some of the other “LastPass” posts: one of the nuances about LastPass is that it only stores encrypted copy of your password database in “the cloud”. A local copy is downloaded to each device using it, and is accessible offline. So it supports “occasionally connected” scenarios, though obviously you can’t sync up new passwords from other devices while offline. The encryption is AES256 I believe, so it should be good until quantum computers come out next year. :wink:

Seriously, Jeff, look at LastPass if only for the technical details about what would be necessary to implement something like this. I’d love for it to be standard, better integrated into websites, and free-er, but it really follows the spirit of what you’re saying here, I think.

Another kink in your plan is that not only websites need passwords. As a consultant, I have VPN passwords, AD accounts, 3rd party apps. Not to mention personally, I have PIN codes for bank cards, membership cards, etc. So, you’re right that it all boils down to identity, but a full solution has to be bigger than a web browser.



Is argue that TSL (aka SSL) is not broken. The “trusted authorities” model is broken, which typically only effects HTTP+SSL for browser communication. WebId is not affected by this, nor is the public+private key system in general. We should just move to client keys period, which is all the “trusted authorities” are emulating because of the lack of processing power in the past.


I do NOT want to use any “internet ID”.

Besides, it’s certainly not working well with Korea.



A bit of a low-tech version of what you are talking about, but it’s worked well for me for years (Password Safe + DropBox): http://mooneyblog.mmdbsolutions.com/index.php/2010/04/16/password-management-for-dummies-and-developers/


No. No no no no no. I’m sick of people behaving like websites are the only things that require passwords. Your “solution” offers no affordance for those of us with passwords on our Windows accounts (several at work and home), our phone lock screens, buildings, bank/telecoms telephone lines, etc etc etc. We need a password solution that doesn’t require internet access. This “cloud-based” solution is completely worthless for a massive number of use cases.

And no, don’t give me that crap about ubiquitous internet. Maybe in your country, but it’s YEARS AND YEARS away from being a reality where I’m from.


Wouldn’t this tie me to a single browser? I use several browsers on several devices, and I need access from all of them.


Jeff, you are a genius.

Yes, yes, yes. I have a text file with my passwords/usernames and I have to refer back to it when going to another site. It’s a gigantic pain in the ass.

This is a major restriction of the web, versus the desktop. But I’d like for the web to act more like the desktop. When you logon to your desktop, you input your username/password and are able to access all programs without a hitch. This is what I’d like for the web later, as you stated, having an ID/Password and accessing any site in the world on any device.

There is however, one big catch. The only way it’s possible is if either:

  1. People use one identity
  2. The system is able to present multiple identities and you plug which identity you want to use into the website.

Realistically, the more websites we go to, the bigger a problem this will be. I know I’m not the only one that goes to tons of forums/blogs/e-com sites and gets pissed off when you have to click the “forgot password button.”


Agreed, that’s what emboldened me to propose this as (gasp) a standard.



CAPTCHAs don’t work well in any case. Spammers just pay people to solve them and computers are better than humans at deciphering mangled text/identifying puppies/etc once trained.


The number one biggest concern I have reading your description of this is when you say the word ‘etcetera’ in this sentence: “retrieves the user’s standard information fields like name, email address, etcetera from some form of secure https cloud storage”. Sites are all the time asking for information I may or may not be willing to give. Especially when I’m trying something out. So maybe I start with a mailinator address and a fake birthday, and then based on the usefulness I’ll sign up for a real account. But even then, there’s not much chance I’m giving my real phone number. I don’t want any sort of automatic data pull happening from some cloud storage. I have to control what data I share, 100%.

I remember reading an article by Doc Searls back in 2005 where he completely missed the same point: http://www.linuxjournal.com/article/8357. Identity information is essential… valid demographics are often optional. If the system doesn’t allow me to remain semi-anonymous, fake data, or outright lie when I’m asked for information that I don’t want to give, the system won’t gain acceptance. Identity and demographics are different and have to remain so for any system like this to work.


I agree with the approach above using SSL certificates. Using a single cloud solution is a single large point of failure. If Amazon Service or Google ever goes down (and they both have) then the internet is broken. I put a more formalized solution up for the method described above using SSL and a private key store.



Sure sounds a lot like CardSpace.