Tag Archives: OpenID

An e-mail to Google about enabling Webfinger

RCPT: info@google.com
FROM: mmn@hethane.se

I’m mailing this social web feature request to the info@ address as it should reach some authoritative person at Google. At least according to some SMTP RFC I once read.

I’m a big fan of the federated social web and would very much like to see the Webfinger discovery protocol implemented on the gmail.com domain, mainly in order to find your users’ OpenID providers in a standardized way. (i.e. /.well-known/host-meta -> xrd lookup -> user data including OpenID server).

It would definitely help boost OpenID usage as a lot of people have a Gmail address – which is much easier to remember and type than the Google account OpenID provider url. It would also enable a federated web friendly version of the various “Connect” login options that the major asocial web service companies offer.


<info@google.com>: host aspmx.l.google.com[] said: 550-5.7.1 The
user or domain that you are sending to (or from) has a policy that
550-5.7.1 prohibited the mail that you sent. Please contact your domain
550-5.7.1 administrator for further details. For more information, please
visit 550 5.7.1 http://support.google.com/a/bin/answer.py?answer=172179
ig6si37627458lab.30 (in reply to end of DATA command)

Computer security and theories on passwording

I believe in simplicity. Not only that things should be simple (though not necessarily easy, just logically basic). Things like security through obscurity and unnecessarily complicated password schemes are all bad ideas.

That said, I don’t like Jakob Nielsen’s suggestion to implement cleartext password boxes. Many others have reacted to this as well, with various reasons.

Nielsen has some good points. Very farfetched, but good nonetheless. Masked passwords make users uncertain, which causes them to choose “overly simple passwords”. Some argue that “most people type from muscle memory“. I do that too, but I argue it only complies to “most people who actually consider security hazards”. We’re more self-encouraged to choose strong passwords and generally more computer-savvy. Most actual computer users have visual or literal memories. They remember/verify the password when they see it.

Also, muscle memory doesn’t work for handheld devices. So Nielsen makes a good point, if it weren’t for shoulder surfing. Though Schneier mentions a reader comment referring to a marvellous solution for that:

A reader mentioned BlackBerry’s solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

But… The problem of good passwords isn’t solved. I strongly doubt that Nielsen’s cleartext boxes will make users choose something they wouldn’t be able to type when they’re drunk. (even though it’s a good idea in the sense of Gmail’s math security)

My personal theory is – in compliance with my love for Occam’s razor – that it might not actually be a problem. Users will always choose easy passwords. So why not – and sorry for stepping on Nielsen’s usability toes – force changing of passwords once in a while? It’s a pain in the ass, I know. But then again, it probably only should  be implemented as perceived necessary depending on the service.

Another way out is if the use of OpenID became more widespread. OpenID would eliminate the problem with keeping track of which password is used where. Also I think it could be used to avoid password phishing attacks etc. if people were used to the process.