a companion discussion area for blog.codinghorror.com

Cutting the Gordian Knot of Web Identity


Nevermind. How are we going to legislate across national borders?


So the solution to remembering 100 passwords starts with a captcha? No thanks, I’d rather deal with the passwords.

Captchas are getting out of control. Three-quarters of them are illegible to anybody who isn’t three-quarters in the bag, and the rest use ambiguous characters that could be letters or numbers. Lately I have been having to cycle them four or five times in order to find one that isn’t illegible or ambiguous. The ones I really hate are the ones that require punctuation and accented characters. Last week, one actually demanded that I supply a Greek “mu” symbol. Give me a break!

Conversely, with 1Password, I can handle all the passwords I would ever want, with no sweat.


I’m working on this now, actually. I’ve posted a flushed out idea here: http://rulius.squarespace.com/display/ShowJournal?moduleId=13305046&SSScrollPosition=320

Obviously, it needs some work, but I have a lot of confidence in it.


I enjoyed the article, but I especially enjoyed the Beagle Bros mention. I was part of Beagle from 1985 until 1991 when the Apple II line was sold to Quality Computers. I miss the good old days, but I wouldn’t want to give up my iPhone.


Sigivald wrote:
"I mean, sure, it makes your life as a website operator easier.

Good for you. Not my problem as a user, however. I don’t care about making your life easier (nothing personal!); I care about mine, and “magical browser-based just works once you give a browser your master super-password” is BAD."

…Because website operators are the only people who have to create accounts on the Internet and log on to them. Sigh.

And to Sigivald and everyone else complaining about the high risk of having a master password that if hacked will give someone access to all your accounts - you already have one, the password of the email address you used to register all your accounts, as I’ll bet that you don’t create a new email account every time you’re register an account on a website. If someone were to hack or guess its password, he would gain access to all accounts you created across the web by using the forgotten password feature.

MartinDoms wrote:
"No. No no no no no. I’m sick of people behaving like websites are the only things that require passwords. Your “solution” offers no affordance for those of us with passwords on our Windows accounts (several at work and home), our phone lock screens, buildings, bank/telecoms telephone lines, etc etc etc. We need a password solution that doesn’t require internet access. This “cloud-based” solution is completely worthless for a massive number of use cases.

And no, don’t give me that crap about ubiquitous internet. Maybe in your country, but it’s YEARS AND YEARS away from being a reality where I’m from."

…What the fudge are you going on about? Jeff is suggesting a solution to the problem of having to register accounts and remember passwords across the web, NOT a magic spell that will solve your daily life’s problems. So why on Earth are you crying about how it doesn’t magically solve problems that are far out of its intended scope? Do you send complains to companies that write antiviruses about how their software is useless when it comes to real life viruses?


Identity is not important for the modern internet. An identity token might be. There are two reasons for site logins. One to reestablish state between sessions to the appropriate user. Two to sell user data.

Imagine if you had to login to a tv channel to watch that channels content. TV prior to the internet the most consumed massed distribution channel on earth, provided anonymity to its users. Mostly because it was low tech, and because it was conceptually top down, viewers dont matter as long as they are watching.

I view the login problem not as a gordian knot, but as a low tech problem, which is essentially unsolveable due to the cowardice of the collective efforts of engineers who are driven by business people who just want to collect as much user data as possible.

Lets face facts, the inventors of the internet fucked this up. It was one of the first things they fucked up and we will live with it for a fucking long time.


This is a bit late, but I just came across this in respect to some other research I’m doing. Check out http://revauth.cloudmo.de, where we’ve implemented something a a bit better than a random password, in fact an unforgeable user crediential.


Sounds like a good idea, but… it’s that tiny little innocent word “standard” that is likely to be the problem. The last 25 years of independent browser development, and the results thereof, suggest that there will be plenty of different “standards”, each incompatible and many only partially implemented (which ones differing between each make/model of browser, of course).

Internet Developers Mind-Set: "The only thing better than a standard protocol for X, is to have dozens of 'em."
Unfortunately, in this case.


While username/passwords are a horror, the greater disaster would be a system that requires actual individual identification at login. The web never forgets. Those who post an opinion at age 15 can be haunted by it at age 30 because a comprehensive lookup is just a few keystrokes away. And we can count on those who insist on selling us things we neither want nor need to sew together every minuscule bit to recreate us in an image that may be targeted by their marketing machines. So at least two identities should be used by everyone - their real “This is who I am” identify, and the one, only very tenuously connected to them, that says, “I voted for Trump/Hitlery”.

Guess which one I’m using here?