The Dirty Truth About Web Passwords

Good article by Jeff Atwood on the Gawker web site compromise. The jist of it is that Gawker stored passwords, which is oh so wrong. Yet many sites continue to follow such rediculous practices. It’s not just the small sites. eTrade did this during their first years in operation. If you called for a password reset, they’d read you your password over the phone. Altassian Software sent you your password in the clear if you did a password reset. I find that when you alert companies to their incorrect practices they invariably show disregard. At least until they don’t.

Atwood calls for a greater use of federated identity so that users don’t need to create as many accounts. I couldn’t agree more. There is, however, the sticky problem of usability. OpenID botched this. Facebook Connect does a good job with usability but at the cost of reduced security. The web is still waiting for a good user interface solution to federating identity: one that is usable and secure. There was an opportunity for Adobe to solve this problem with Flash because Flash allows code execution within a sandbox. This opportunity has passed since Adobe ceded their opportunity for ubiquity to Apple’s interests.