Wow. Someone who can curse a lot. Read the whole thing, and all I see is someone who's out of touch and can't express even their own vapid complaints in a logical or consistent manner.
I find that unlike most bloggers, Ted actually is pretty smart about what users like and don't like.
OpenID is cluttered. It takes longer to use it than it does to just reregister every single time. Even Clickpass doesn't speed things up. It's hailed as brilliant because it's open, but it's poorly implemented to a fault.
I argued in another thread that Facebook Connect was the technology to bet on. It's closed, but it actually offers a one-click login. The people in the comments thread, it seemed at the time, were evenly split into two camps: people who had used both and agreed, and people who disagreed because FConnect wasn't an open format.
Ted's swearing also comes across well to me (and, it would seem, to a lot of other people). I like that he gets worked up over this. It cuts out a lot of bullshit and sounds like he genuinely cares about the things he writes about.
That said, it works best when the receiving site uses the ClickPass button: without that, the login still takes longer than it ought to. With the button, it's as fast as Facebook Connect, but it has the downside that fewer users are using it, and that it offers no service BESIDE login. Facebook has an edge there, too, in that it offers functionality that users want to actively use, so FConnect is a logical extension rather than a brand-new concept.
I think when he said "It's hailed as brilliant because it's open, but it's poorly implemented to a fault" he was talking about OpenID, not Clickpass specifically.
I honestly enjoy most of Ted's posts on his blog and previously on Uncov. You know he's not censoring himself and he's often willing to say things other bloggers won't cause he's not caught up trying to be PC.
Sure, some of his posts are extreme, but even those posts appeal to the same part of my brain that Valleywag appeals to.
I had the same beef when I was getting into Stack Overflow. OpenID just complicates the signup process with little tangible benefit, solving a problem few users actually have. UI-wise, it feels little better than Microsoft requiring a Passport account only OpenID is even more complicated since you have many different providers to choose from. Maybe it'll be awesome in 5 years when users all understand what OpenID is about or after more sites design kick-ass UIs around it.
I don't see why it will ever be "awesome." Any system that lets you use the same password/username for every site is a recipe for disaster, I think. Well the key problems I see with this whole getup is
1) Phishing? 10x Easier if everyone used Open ID. Masquerade as a provider, phish happy.
2) If someone has their password stolen...there goes every account they have. Albeit, without open id, this is sadly often the case anyway. (Not for me, but for most people.)
3) How hard is it, really, to register for a freaking website? Name, address, mailinator email. Done, no hassle.
IF Open ID is to be useful, it has to be able to log people in with extreme ease, otherwise the time-saved benefit of not entering these reg forms will be eradicated by the complexity of the system itself. And obviously...openid is NOT extremely easy. In fact, its quite the opposite. Even for a power user...unless you're signing up for many many many many accounts, its not helpful.
That's the translation of "maybe it will be awesome in five years". In web terms, five years is practically as far away as the heat death of the universe.
When we're trying to be polite, we geeks adopt the legendary phrasing techniques of the Japanese: We almost never use the word no. Instead we say "it's really quite difficult".
Like Tedd Ziuba, I also didn't have an OpenID when joining Stack Overflow. Instead of becoming annoyed with OpenID (which, admittedly, I am), I became annoyed with Stack Overflow for requiring one.
What I did was register my own domain (callna.me) and install Drupal 6 with the OpenID Provider module. Instant OpenID.
Anyway, his post makes him sound like an idiot. It's a good thing comments are turned off on his post.
You seem to be missing the point of both Tedd's post and my response. Tedd's point is that it's hard to understand OpenID and implement it. My point is that it's easy.
Well the overwhelming point is that for the average user, OpenID solves nothing, confuses them, and offers no benefit. It also does more harm than good IMHO opening the door to countless phishing attacks.
What part of my post said that's what other people should do? I explained what I did, which was finding a simple and creative way to solve a problem I was having. It probably took less time than it took Tedd Ziuba to write his post.
OpenID and enterprise Single Sign-On counterparts like SiteMinder are trying to solve a problem that browser-based credential vaults have rendered largely obsolete.
Yep. I've said the same thing before: 1password for the Mac. You pay $35, once, and suddenly every site on the web supports auto-filling of gigantic automatically-generated strong passwords. You can stash your non-Web passwords in its lockbox, too.
There are occasional glitches and annoyances (my pet peeve is that so many of the sites in the world don't actually support long passwords containing symbols). But you can fix the problems, because it's pretty obvious what 1password is doing and the whole thing is right there on your machine.
I'm sure there are similar programs for Windows, though I can't recommend one.
I don't quite understand this. I may not be using OpenID correctly, but when I ask my users to login, they just pop in their OpenID URI (that is, their username--that's what it's labeled as on my webapps, and that's what it is) and get auto-directed through their provider's auth system, showing up as simply a two-second redirect. When they don't have an OpenID URI yet, I send them over to a provider I trust--right to their registration form--with the first part (their desired username) already filled in. How is this harder than normal registration? The only difference is that, when you aren't logged into the provider and you have to enter your password, it goes on the second login page, rather than the first. I don't even call it an "OpenID provider" in the FAQ, but a "security service." That's what it appears as to people: someone I've outsourced all the cryptography and password stuff to so I don't have to be smart about it.
Those that know about OpenID can use their own providers, but those that don't care won't have to think about it; they'll just use the one I pick (which is no worse than trusting me with their made-up-on-the-spot credentials, which is what they'd be doing otherwise anyways.) If they start caring, they can make a new ID with a provider they choose--I fully allow for account URI changes; it's not that hard to implement. In fact, the whole OpenID set-up for me was two library calls (discounting the fact that I had to hack the library itself to add in Simple Registration support, so I could automatically set users' nicknames to their OpenID accounts' nicknames on each login. It's discountable because I submitted a patch, so no one else will have to worry about it.)
Well, I was coming at it from a developer's point of view. Here's a user story:
1. I don't have an account with this site. They say that if I have an account with (any of these other OpenID-supporting sites), though, that that one would work instead. Neato, but I don't use any of those, so:
2. I'll click on the register link here. Ah, here's a registration page. It doesn't have the site's logo on it, but they said that would happen--they've outsourced this part.
3. Registered. They gave me a link, and said "just treat it as your username." OK; I'll try to remember it, then. "It'll also work on all those other sites we mentioned, and more every day." Neato again; I might check some of those out.
4. I'm back on the site I started at, and I've already been logged in. They got my nickname right and everything.
(days pass)
5. "You've been logged out of the site due to inactivity." Oh, well, what was my username again? That link thing? Oh, here it is in the autocomplete.
6. Hey, it didn't ask me for my password! What the heck? I'm just logged in all of the sudden. I guess that's good, then.
8. Oh, I'm back on that site that did the registration. They're asking me for my password. Makes sense--they're the only ones that I told that particular detail. Put that in...
9. Ah, I'm back on track and logged in again. Nice.
How do you know this is too confusing? Did you ask anyone? Did you do any research?
Why is this confusing but e-mail isn't? If I want to send and receive e-mail, I have to find my own provider. I also have to remember this weird string, "me@example.com". THAT'S TOO HARD FOR THE AVERAGE USER!!11!
I agree... For quite a lot of people email IS too hard for them. Sometimes takes them quite a while to understand how it works. I'd say openID is orders of magnitude more complex and more worrying.
I tried using openID once. It directed me to google or yahoo or something to log in... So then I had to decide if it was really google or yahoo, or if it was some phishing site.
It's a terrible idea, which is sure to fail. There is no compelling reason for people to use it.
I can bet you that I could fix all the problems you have with this story with one teensy little change: allow the OpenID providers to recieve "theme" information (basically a base URL for CSS files and images) from the sender site. Then the registration page would look like it was part of your site. Then, when rendering the login page/div, check whether the user is already logged into the provider using some onunfocus AJAX, and then smoothly drop the password field down underneath it if it's needed. (of course, then, you have to handle sending that password to that provider in a secure way, but we're focusing on user-persoective advantages now, so, like with IE6 support, a lot of sweat is to be expected.) from the user's perspective, if they don't know what the little "OpenID-enabled" icon next to the username box means, they can just go along with their business, and everything will happen as usual.
The only problem at this point is the URL username. To answer that, think about what, for example, gmail does: when you have a gmail.com address, you can drop that part and just use the username part of it. Likewise, I'd allow my users to strip off the domain part of whatever my "preferred provider" was, and just say that the "foreign IDs" basically need a "passport stamp" to get in--an attached domain name.
Seemed pretty clear to me in how he explained the amount of extra effort he would have to expend as a user to get started with OpenID, and as a developer to support it. It's work.
Every time I see an OpenID site, I just type "http://jrock.us" and am instantly signed up. No username and password selection, no waiting for the retarded e-mail confirmation e-mail... I am instantly registered for any site by just typing a few letters. I am really unsure why people dislike OpenID. As a website user, my time is saved. As a website developer, my time is saved. I suppose if you never intend to use more than one website, OpenID is a waste of time. For everyone else...
I think this guy would dislike e-mail if Facebook messaging had been invented before it. "Everyone with their own domains? That's too confusing. How will we ever explain it? Everyone except me is too dumb to understand!"
(As an aside, why is everyone so obsessed with making things "easy" for "users" they've never met? People aren't as dumb as you expect. Make it work for yourself first -- at least it will be good for one person that way. Your unresearched assumptions are harmful.)
What percentage of the internet using public is responsible for the type of youtube comments you're talking about? You can't take what is the worst display of human intelligence and hold it up as the standard or average with which you label everyone.
Even taking the youtube commenters I suspect, most of them, would be able to grasp openid if it stood between them and the next ROFLMAO-able video.
I actually think that most people are not dumb ... they just behave that way because it makes them look cool, or because they lived in a cave all their lives and don't know any better.
Instead of being arrogant, treat them the same as you would a smart and educated individual, and I think you will have quite a few surprises.
In fact I rarely meet dumb people, and I'm not living in Silicon Valey, but in a third world country with a corrupted government, and a shameful school system.
I agree 100%. I'll sign up for random sites now, knowing I might never come back, just because it's easy. No waiting for bullsh*t activation e-mails, selecting username, you name it. It's just...easy!
Heck, that's how I signed up for Hacker News. You wouldn't be reading this wonderful prose right now if not for OpenID.
Amen! I totally get OpenID but it's yet another technology with no significant benefit to the average joe (or, rather, no benefit that outweighs the disadvantages). Like RSS, this remains one for the power users.
I agree completely. OpenID is utterly flawed. If ever OpenID in its current form gains acceptance, I will eat my hat. And put the video of me eating it on YouTube.
OpenID is just a weak idea that needs a LOT and LOT of pushing to make it accepted. Look at the iPhone - nobody pushes you to use it, you see it, like it and use it.
With OpenID people have to be forced to use it, because it's cumbersome and does not offer any clear advantage.
Like I've said earlier, the real auth solution is the one where you simply stick your USB stick into a machine, type a 4 letter pin and everything on that machine is authenticated till you take it out.
A weak concept pushed by technologists and people who want to give talks and earn money off this technology.
"stick your USB stick into a machine, type a 4 letter pin and everything on that machine is authenticated till you take it out."
This is doable now with client side certificates. No body supports getting user creds from client site certs though. Would they be easier to understand than OpenID? Would they be easier to understand than username and passwords?
I spent most of yesterday implementing openid on a site I'm developing.
The problem is not the underlying mechanism but rather the way it's been presented on most sites. Remembering an openid url is counterintuitive for most people - you have to explain too much to all but the most technical users in order for them to know what's going on.
But now there has been some progress: Yahoo became an openid provider a while back, and they allow you to log in with their openid by simply entering "Yahoo.com," you don't even have to remember your openid URL.
I also used JanRain's ID Selector Javascript widget to make the signup form a little more intuitive:
So really I think openid is getting much better as it matures and its developer community tweaks it and the tools around it. If Google and Microsoft fully get on board (which they are promising) I think it will see pretty widespread adoption.
I wouldn't mind using OpenID if it actually worked.
When I try to login to stackoverflow, it sometimes gives me the following error message ...
"Unable to login with your OpenID provider: The remote name could not be resolved: 'blog.lexoft.eu'"
And after some time it starts working again. I suspect this is a DNS problem, but using OpenID means a dependence on an external system over which you have no control.
So I like the concept, but a site like StackOverflow should give the option of using normal user accounts as a fallback.
using the internet means a dependence on an external system over which you have no control. OpenID is no less reliable in that regard than the internet in general.
You can pry OpenID from my dead body. It moves user account controls back to the user. Want to delete an account? Delete access to the website rather than, usually, having to email the administrator. Want to only log in once to see what the website looks like? Click "Allow Once" instead of "Allow Forever."
I never thought about the delete access aspect. That's a good point.
Plus, since you never give a password, you don't have to worry about how they're storing it. Plain text in the database? passwords.txt file in the webroot? Doesn't matter because they don't have it.
Ted Dziuba is why I hate the Internet. I don't just mean that as a clever reply to the title. The Internet lets everyone be heard, instead of just the "qualified" people who used to get to publish their opinions in the print era. For the most part that's good, but there's a small group of writers who specialize in mean-spirited linkbait that makes me miss the editors who filtered everything in the old days.
"The Internet lets everyone be heard" => upmodded for truth. Everyone gets a soapbox and teh right to yell as loudly and as profanely as they like.
"instead of just the "qualified" people who used to get to publish their opinions in the print era" => upmodded for humour. Have you ever read anything in a newspaper owned by Conrad Black? Or anyone else, really? Print media may employ professional journalists.
But their "research" is flawed, they have a habit of regurgitating press releases from their advertisers and the political parties their owners support, and they pander to the prejudices of their readers.
Freedom of the press belongs to everyone who can afford a printing press. The internet is the cheapest, most unencumbered and uncensored printing press in history.
We have had a solution to this problem for decades: using the same God damned username and password for every website that needs them.
This is what I do...except that every once in a while, I try creating an account on a new site and discover that someone else has taken "sethg". Or the site has some rules about what characters are mandatory/forbidden in a password, and I can't use my default password. Or the site stores passwords in the clear and gets hacked, and I have to remember everywhere I used that default password and go change the password.
In the grand scheme of things this is only a minor irritation, but whenever I go to a site that I only expect to visit once every six months and discover that I have to create yet another site-specific account, I think, "I wish they supported OpenID."
My site uses OpenID, and I'm surprised at how many users actually do understand it.
It's especially true in the case of Yahoo users. All they have to do is type in "yahoo.com" and they're in. Try and explain to me how it's easier to remember a bunch of usernames and passwords than "yahoo.com"
And remember: There are no overarching guidelines on usernames and passwords, so the whole "use the same one every time" almost works...but not quite. One site requires a 6-letter password, another requires 9 with one uppercase letter and a number, while another has no requirements whatsoever. That crap gets frustrating as hell for me and there are several sites that I have to re-request my password every freaking time I go.
As more and more big sites come on as providers, like MySpace and Yahoo, it will only get better. I agree that there are issues with presenting and explaining it to users, but the underlying premise is a good one.
OpenID is not that hard to understand and will become even easier when more social sites become providers. The concept of your Facebook profile being your universal online identity is quite intuitive, especially to young people.
There is also a lack of best practices for consumers. When UI conventions are established and users become accustomed to them, it won't seem so confusing. Ideally, the creation of an OpenID associated "account" with a consumer would happen transparently the first time the OpenID is used, if it even needs to happen at all.
As for developers, OpenID may be more complicated to implement than conventional user/pass but it is also more uniform. Once there are mature libraries for common platforms, programmers will save a lot of time versus implementing user/pass from scratch. (I would not consider many current ones to be mature). Anyway, I'm not so sure OpenID is more complicated than a proper auth system with email verification and recovery.
67 comments
[ 2.4 ms ] story [ 126 ms ] threadOpenID is cluttered. It takes longer to use it than it does to just reregister every single time. Even Clickpass doesn't speed things up. It's hailed as brilliant because it's open, but it's poorly implemented to a fault.
I argued in another thread that Facebook Connect was the technology to bet on. It's closed, but it actually offers a one-click login. The people in the comments thread, it seemed at the time, were evenly split into two camps: people who had used both and agreed, and people who disagreed because FConnect wasn't an open format.
Ted's swearing also comes across well to me (and, it would seem, to a lot of other people). I like that he gets worked up over this. It cuts out a lot of bullshit and sounds like he genuinely cares about the things he writes about.
That said, it works best when the receiving site uses the ClickPass button: without that, the login still takes longer than it ought to. With the button, it's as fast as Facebook Connect, but it has the downside that fewer users are using it, and that it offers no service BESIDE login. Facebook has an edge there, too, in that it offers functionality that users want to actively use, so FConnect is a logical extension rather than a brand-new concept.
Sure, some of his posts are extreme, but even those posts appeal to the same part of my brain that Valleywag appeals to.
1) Phishing? 10x Easier if everyone used Open ID. Masquerade as a provider, phish happy.
2) If someone has their password stolen...there goes every account they have. Albeit, without open id, this is sadly often the case anyway. (Not for me, but for most people.)
3) How hard is it, really, to register for a freaking website? Name, address, mailinator email. Done, no hassle.
IF Open ID is to be useful, it has to be able to log people in with extreme ease, otherwise the time-saved benefit of not entering these reg forms will be eradicated by the complexity of the system itself. And obviously...openid is NOT extremely easy. In fact, its quite the opposite. Even for a power user...unless you're signing up for many many many many accounts, its not helpful.
That's the translation of "maybe it will be awesome in five years". In web terms, five years is practically as far away as the heat death of the universe.
When we're trying to be polite, we geeks adopt the legendary phrasing techniques of the Japanese: We almost never use the word no. Instead we say "it's really quite difficult".
What I did was register my own domain (callna.me) and install Drupal 6 with the OpenID Provider module. Instant OpenID.
Anyway, his post makes him sound like an idiot. It's a good thing comments are turned off on his post.
So simple your grandma could do it eh?
All public OpenID providers should be using valid SSL certificates. For some reason that is terribly, terribly wrong, some providers don't (like https://alwaysknownas.com, https://openid4u.net and https://openid.es).
Sure, easy.
Better an early-adopter developer forum than GMail.
There are occasional glitches and annoyances (my pet peeve is that so many of the sites in the world don't actually support long passwords containing symbols). But you can fix the problems, because it's pretty obvious what 1password is doing and the whole thing is right there on your machine.
I'm sure there are similar programs for Windows, though I can't recommend one.
Those that know about OpenID can use their own providers, but those that don't care won't have to think about it; they'll just use the one I pick (which is no worse than trusting me with their made-up-on-the-spot credentials, which is what they'd be doing otherwise anyways.) If they start caring, they can make a new ID with a provider they choose--I fully allow for account URI changes; it's not that hard to implement. In fact, the whole OpenID set-up for me was two library calls (discounting the fact that I had to hack the library itself to add in Simple Registration support, so I could automatically set users' nicknames to their OpenID accounts' nicknames on each login. It's discountable because I submitted a patch, so no one else will have to worry about it.)
1. I don't have an account with this site. They say that if I have an account with (any of these other OpenID-supporting sites), though, that that one would work instead. Neato, but I don't use any of those, so:
2. I'll click on the register link here. Ah, here's a registration page. It doesn't have the site's logo on it, but they said that would happen--they've outsourced this part.
3. Registered. They gave me a link, and said "just treat it as your username." OK; I'll try to remember it, then. "It'll also work on all those other sites we mentioned, and more every day." Neato again; I might check some of those out.
4. I'm back on the site I started at, and I've already been logged in. They got my nickname right and everything.
(days pass)
5. "You've been logged out of the site due to inactivity." Oh, well, what was my username again? That link thing? Oh, here it is in the autocomplete.
6. Hey, it didn't ask me for my password! What the heck? I'm just logged in all of the sudden. I guess that's good, then.
(weeks pass)
7. "You've been", "inactivity", blah blah blah. Autocomplete.
8. Oh, I'm back on that site that did the registration. They're asking me for my password. Makes sense--they're the only ones that I told that particular detail. Put that in...
9. Ah, I'm back on track and logged in again. Nice.
They know how standard registration/login works. They have a browser that remembers passwords for them. They don't need OpenID.
Why is this confusing but e-mail isn't? If I want to send and receive e-mail, I have to find my own provider. I also have to remember this weird string, "me@example.com". THAT'S TOO HARD FOR THE AVERAGE USER!!11!
I tried using openID once. It directed me to google or yahoo or something to log in... So then I had to decide if it was really google or yahoo, or if it was some phishing site.
It's a terrible idea, which is sure to fail. There is no compelling reason for people to use it.
The only problem at this point is the URL username. To answer that, think about what, for example, gmail does: when you have a gmail.com address, you can drop that part and just use the username part of it. Likewise, I'd allow my users to strip off the domain part of whatever my "preferred provider" was, and just say that the "foreign IDs" basically need a "passport stamp" to get in--an attached domain name.
Still too confusing?
I think this guy would dislike e-mail if Facebook messaging had been invented before it. "Everyone with their own domains? That's too confusing. How will we ever explain it? Everyone except me is too dumb to understand!"
(As an aside, why is everyone so obsessed with making things "easy" for "users" they've never met? People aren't as dumb as you expect. Make it work for yourself first -- at least it will be good for one person that way. Your unresearched assumptions are harmful.)
You're right--they are about 10 times dumber. Have you been on Facebook or MySpace, or read YouTube comments lately?
Even taking the youtube commenters I suspect, most of them, would be able to grasp openid if it stood between them and the next ROFLMAO-able video.
I actually think that most people are not dumb ... they just behave that way because it makes them look cool, or because they lived in a cave all their lives and don't know any better.
Instead of being arrogant, treat them the same as you would a smart and educated individual, and I think you will have quite a few surprises.
In fact I rarely meet dumb people, and I'm not living in Silicon Valey, but in a third world country with a corrupted government, and a shameful school system.
Heck, that's how I signed up for Hacker News. You wouldn't be reading this wonderful prose right now if not for OpenID.
OpenID is just a weak idea that needs a LOT and LOT of pushing to make it accepted. Look at the iPhone - nobody pushes you to use it, you see it, like it and use it.
With OpenID people have to be forced to use it, because it's cumbersome and does not offer any clear advantage.
Like I've said earlier, the real auth solution is the one where you simply stick your USB stick into a machine, type a 4 letter pin and everything on that machine is authenticated till you take it out.
A weak concept pushed by technologists and people who want to give talks and earn money off this technology.
This is doable now with client side certificates. No body supports getting user creds from client site certs though. Would they be easier to understand than OpenID? Would they be easier to understand than username and passwords?
The problem is not the underlying mechanism but rather the way it's been presented on most sites. Remembering an openid url is counterintuitive for most people - you have to explain too much to all but the most technical users in order for them to know what's going on.
But now there has been some progress: Yahoo became an openid provider a while back, and they allow you to log in with their openid by simply entering "Yahoo.com," you don't even have to remember your openid URL.
I also used JanRain's ID Selector Javascript widget to make the signup form a little more intuitive:
http://www.idselector.com/
So really I think openid is getting much better as it matures and its developer community tweaks it and the tools around it. If Google and Microsoft fully get on board (which they are promising) I think it will see pretty widespread adoption.
"Unable to login with your OpenID provider: The remote name could not be resolved: 'blog.lexoft.eu'"
And after some time it starts working again. I suspect this is a DNS problem, but using OpenID means a dependence on an external system over which you have no control.
So I like the concept, but a site like StackOverflow should give the option of using normal user accounts as a fallback.
Plus, since you never give a password, you don't have to worry about how they're storing it. Plain text in the database? passwords.txt file in the webroot? Doesn't matter because they don't have it.
"instead of just the "qualified" people who used to get to publish their opinions in the print era" => upmodded for humour. Have you ever read anything in a newspaper owned by Conrad Black? Or anyone else, really? Print media may employ professional journalists.
But their "research" is flawed, they have a habit of regurgitating press releases from their advertisers and the political parties their owners support, and they pander to the prejudices of their readers.
Freedom of the press belongs to everyone who can afford a printing press. The internet is the cheapest, most unencumbered and uncensored printing press in history.
This is what I do...except that every once in a while, I try creating an account on a new site and discover that someone else has taken "sethg". Or the site has some rules about what characters are mandatory/forbidden in a password, and I can't use my default password. Or the site stores passwords in the clear and gets hacked, and I have to remember everywhere I used that default password and go change the password.
In the grand scheme of things this is only a minor irritation, but whenever I go to a site that I only expect to visit once every six months and discover that I have to create yet another site-specific account, I think, "I wish they supported OpenID."
It's especially true in the case of Yahoo users. All they have to do is type in "yahoo.com" and they're in. Try and explain to me how it's easier to remember a bunch of usernames and passwords than "yahoo.com"
And remember: There are no overarching guidelines on usernames and passwords, so the whole "use the same one every time" almost works...but not quite. One site requires a 6-letter password, another requires 9 with one uppercase letter and a number, while another has no requirements whatsoever. That crap gets frustrating as hell for me and there are several sites that I have to re-request my password every freaking time I go.
As more and more big sites come on as providers, like MySpace and Yahoo, it will only get better. I agree that there are issues with presenting and explaining it to users, but the underlying premise is a good one.
There is also a lack of best practices for consumers. When UI conventions are established and users become accustomed to them, it won't seem so confusing. Ideally, the creation of an OpenID associated "account" with a consumer would happen transparently the first time the OpenID is used, if it even needs to happen at all.
As for developers, OpenID may be more complicated to implement than conventional user/pass but it is also more uniform. Once there are mature libraries for common platforms, programmers will save a lot of time versus implementing user/pass from scratch. (I would not consider many current ones to be mature). Anyway, I'm not so sure OpenID is more complicated than a proper auth system with email verification and recovery.