Uncomfortable with OpenID

For the uninitiated, please read about OpenID at the source. For a quick and dirty lowdown, all you need to know is that OpenID is a centralized password system which is supposed to be secure.

I don't like OpenID.

I don't like it for the same reasons I don't like the idea of national ID card. All someone has to do is have access to your OpenID account and they have access to all of the accounts where you use OpenID. Whatever information is stored in your OpenID account is not secure, even if they say so and even though it sits on a secure server.

Nothing is secure when you add the human factor to the equation.

Security and the human factor.

All you have to do is read how US government computers and databases were compromised by government employees to understand how it works. All the secure systems in place mean nothing when the people using the systems do stupid things like taking laptops home with huge databases on them. It doesn't matter if they're allowed to do it or not, they still do it.

Putting your private data in the hands of any single entity is asking for trouble, in my opinion. It all comes down to a matter of trust. You're trusting that the people behind that entity won't use your information in nefarious ways.

The false sense of Security.

When people start trusting a single entity with their private data, something's wrong. I've been seeing OpenID used on more and more websites. It saves the new sites from having to put their own authentication system in place. Old sites are using it as an additional authentication option.

I would never use OpenID at a website where they have more than just my basic data stored. Banks and other intensely secure systems don't use it and you just have to think about it for moment to understand why they don't and won't use it. Ever.

OpenID has its place.

If you use OpenID as a master password for blogs, forums and other websites that just want your basic information (like name and email address), I don't see anything wrong with it. In fact, I would probably use it for those purposes.

When more information is required, such as addresses and phone numbers, that's when I start getting antsy. I would rather risk an independent system getting compromised than all the systems getting compromised due to centralization.

Maybe I'm just paranoid.

Subscribe To Untwisted Vortex:

Full Post Feed |

Summary Feed |

Comments Feed

Ray from Place of Stuff on 2008-07-04 at 4:48 pm (Reply)

I agree. I use the Seatbelt plugin for Firefox and only ever use OpenID for, as you mention, blogs and forums and wikis. Never ever for anything more - if my bank used it, I would refuse. Though I would expect a bank to implement their own version.

My latest blog post: Slackware vs Kubuntu: A Subjective Review

Ellie on 2008-07-04 at 9:18 pm (Reply)

I think that OpenID is good for the same reasons you pointed out - forums or other "not so important" websites and information.

Honestly, I never could figure out how to make it work, so I never used it anyway LOL

My latest blog post: Set Gmail as your Default Email in Firefox 3

RT Cunningham | Untwisted Vortex | Philippines on 2008-07-05 at 12:07 am (Reply)

I only used it once so far, for Twitterfeed. I didn't like it at all.

hari on 2008-07-05 at 1:01 am (Reply)

I'm not a fan of these kinds of IDs either. Besides the security risk involved, it allows the website to track your login across multiple domains and I don't want that level of (potential) intrusiveness.

Comedy Plus on 2008-07-08 at 1:01 am (Reply)

I hear you on this. The human factor is indeed scary to me as well. Have a great day RT.
My latest blog post: The Tragic Loss

xSS-ErrOr on 2008-07-28 at 2:49 pm (Reply)

Thank you.

An American Living in the Philippines

Uncomfortable with OpenID