9 comments

[ 3.4 ms ] story [ 32.3 ms ] thread
i've always thought password authentication is not the best way to be doing auth for websites. certificates seem to be the right solution, but difficult for the user to manage. (i love certs for ssh.)
Agreed. Any time I can ditch the password, I do. Certs are a pain in the ass to setup, though. SSH without passwords is pure freedom.
I guess I could expand upon that in the 2nd bonus point. Certificates would make an excellent extension to HTTP Auth, as long as end-users can self-sign, like SSH, and not have to pay a $100/yr extortion fee to a company like Verisign.
Commercial x509 certificates are as cheap as $9.95 and there's several free services. But they are a pain to try to explain to a typical end user on how to configure and install in their browser.
The author doesn't really expound why 1password wouldn't work. It's available for Mac/Win and integrates nicely with FF, IE(Win), Chrome and Safari(Mac).

That software is indispensable to me, as I often login to numerous dev and test instances of webapps in addition to my shopping and forum sites... I can now have long, secure passwords/phrases that are autogenerated. In addition, with dropbox, I have 1password distributed on all my devices.

I avoid the Google problem he mentioned by using separate browsers (ie, FF for work, Safari/Chrome for personal) or separate computers/devices (I only really use Facebook on my mobile). If multiple instances of a particular browser is desired, something like http://fluidapp.com/ or Mozilla Prism could be used to segregate the profiles.

In short, the author ignores existing products and is re-inventing the process.

Thats a little unfair. I mentioned existing products, and I use them, so I can't fathom where you get that I ignore them.

I've used KeePass for years, but I have to manually open it and copy/paste passwords. I've just started using 1Password, and "integrates nicely" is not how I would describe its interaction with Chrome. Even the 1Password site has a list of a half-dozen bullet points of critical things the Chrome extension can't do.

In the very first section, I explain how I'm doing the exact same thing with multiple browsers, and that "works" (not well) until you get about 3. I have 4 AWS accounts for various projects, and remembering which browser is which is annoying. What I want is a single button in a toolbar or menu to pick a different account for a single website, without having to leave my preferred browser.

I feel like you're sticking your head in the sand. "I've found workarounds to all the problems he mentioned, so nobody should spend their time trying to make it better!"

I don't mean to be personal, but you just skimmed out a few things to nitpick, without really reading the article.

I have to agree that it doesn't seem like R00fus read the entire article or if he did then he completely failed to comprehend the intent. It's not about reinventing the process, it's about moving forward to something better and more useful that doesn't require you to have open every browser known to man as part of a normal work environment.
Look, you don't mention Chrome as your one and only browser, and yes, 1password for Chrome isn't as integrated as for Safari/FF, but you can still use the "CMD-\" to login quite well... what specific issues are you running into? I've simplified your 5-step process to: 1) Click logout on site 2) CMD-backslash 3) If I have only one account, no step 3, otherwise, choose the account for the site I want to use from a dropdown navigable by arrows 4) Browser back button (or keyboard equivalent) to go back one page.

Honestly, I agree that the whole issue of managing several accounts on a given service is quite weak anywhere you go... the fact that website/services think you should be limited to one account goes well back before the web (credit cards nubmers per servicer, home phone lines, physical addresses)... in all of these categories it's very easy to assume a given user will only have one account (and it's true for 95% of the populace). Given the virtual nature of the web, it's sad that web services fall into this trap as well (e.g. trying to run several power e-trade pro sessions for different accounts on the same box is an exercise in frustration).

You still haven't commented on usage of SSBs like Mozilla Prism for separate site/account combos (apparently, Prism is the only SSB that separates the cookie cache).

I don't mention that, because I don't. I use Chrome for everyday browsing, and FF for development, because I like Firebug. I've also had to extend my FireFox usage for a separate set of Amazon credentials. Then I got another one, and it seems like adding another browser to the mix would be a PITA, which prompted me to think about how it could be done better.

Whether its your 4-step process or my 5-step (which are really the same things, so thats just semantics), wouldn't a 1-step process be much better? If you really like clicking things, no one is stopping you from doing it your way, so why poo-poo anybody else's attempt at making progress?