Benlog

A few weeks ago, I wrote about about how web sites that manage your data should be more open in order to better protect you. Not so surprisingly, I’m not the only one thinking about this issue.

Jeremy Keith has a fantastic detailed write-up regarding what he calls the “password anti-pattern.” It gets at the same fundamental issue I was talking about, but with more interesting detail. It lays out the problem concisely and clearly:

[Asking for gmail passwords from your users] teaches people how to be phished.

And it mentions OAuth, an effort I only recently learned about, which standardizes the kind of web-based API that would make this practice go away. Fantastic.

But I want to push this a little bit further. The OAuth site talks about ways in which OpenID authentication can be used in combination with the OAuth application API. But OpenID, in its baseline implementation, suffers from the same kind of problematic anti-pattern: it teaches you to be redirected to a login site where you enter your password. Not as bad as entering your password on a different site, but still pretty bad: you now learn that it’s okay to be redirected to your identity provider by any web site, whether or not you trust the web site. And if you don’t check the URL in the address bar (ahem, only security freaks like me do), you’re being taught to be phished, too.

OpenID can be patched to be more secure. But it’s important to realize that, in its baseline implementation, it’s just as bad a user design pattern as the social-network password-based contact importer.