20 comments

[ 3.7 ms ] story [ 56.2 ms ] thread
What a load of whining rubbish.

Anyone who thinks a short password is secure in this day and age is nuts - particularly as just such individuals re-use passwords across services.

This person would be the first to decry SO if there was any breach of security caused by bad password choice.

The intention of the post was not to whine about the password complexity. Quite the opposite, I think Stack Overflow's strategy is a brilliant way to get you to login/register using Facebook.
But why do you single out Facebook? They offer a total of 15(!!!) ways to log in, including traditional and any form of OpenID.

It really does smell like link-bait by singling out two large sites.

Read their blogs and you will see that SO is keen that you use any available OpenID provider to log in to their site - they have no interest in any one such provider.

Should you have persevered through the terribly difficult task of establishing a password with them then - wow- you would have had a new OpenID you could have used at other sites - without creating yet another username/password combination.

These guys are doing you a favour at their (small) expense and you see it as some sort of con.

Some word combination of horse teeth and gift comes to mind - but whingers there will always be.

This is a strange conclusion from a site that accepts every OAuth option under the sun with the facebook login as the last presented major option.

Assuming a UX mind trick because someone has a strict password policy is a bit far-fetched IMO.

UX mind trick or not, the strict password policy DID ultimately get me to sign in with my Facebook credentials.

My conclusion here is that a strict password policy can actually help a website get more of their users to open up their Facebook profiles to them.

That's more a comment about you than about SO. Also, I don't see why you single out Facebook--I suspect a large amount of people use Google, maybe even more than Facebook. And the technically savvy sort could always use any OpenID provider.
I think the real issue here is the weakness of the passwords your bank is willing to accept.
(comment deleted)
I think this is missing the difference between grabbing your Facebook login and using Facebook's OpenID capability. The only piece of information StackOverflow gets back from Facebook is the fact that you're logged in there.
I don't think this brilliant at all. Anyone who decided to forego the FB Connect route is already someone who wants to sign up. By making it incredibly painful, it'll lessen the chance of him even signing up. Sure, you'll get more FB signups, but the absolute # of signups will decrease.

And what's the advantage of more FB signups? This isn't a social network like Foursquare or Pinterest.

All this tells us is that you typically re-use your passwords, and that they are fairly weak to begin with.
Uhm, no?

I added the Facebook login option* to Stack Overflow, and I can assure you we don't really care which credential you use. We don't do anything different based on Facebook/non-Facebook creds.

Go look at your app settings and you'll see that the Stack Exchange/Stack Overflow app only accesses your Facebook account when you login. We don't do any subsequent queries, by design (we actually discard the auth token, but that's harder to prove).

The vast vast majority of the accounts on Stack Overflow use Google as a login provider. This has basically always been the case (http://meta.stackoverflow.com/q/31021/130213).

* We waited until they supported OAuth 2.0, as we weren't comfortable with the older Facebook Connect.

Really? This is to herd you into using FB?

First issue: How do you know this is the intention?

Second issue: Who cares? You are free to not use the site.

Third issue: There are other options. I sign in using Google's authentication. I did not even know they had FB integration.

Seems more like this post is an excuse to whine about things than anything "real".

Is this a joke post?

8 unique characters? I just checked (as I use a password manager) - 90% of my hand-coded passwords pass this test. The rest of my passwords are machine-generated - and most password generators are capable enough to guarantee unique characters and length.

Maybe StackOverflow's "cunning plan" [1] is really to force you to use a password manager or OpenID?

[1] http://en.wikiquote.org/wiki/Blackadder

At first I thought this was just embarrassingly wrong, but it's more than that; you fabricate details to try and make your point. This is what the SO login page looks like: http://i.imgur.com/4Z8P8.png

SO doesn't push Facebook logins -- they accept any OpenID login, and Facebook is one of 13 default options presented (besides just letting you type in whatever provider you want). They only accept OpenID logins -- the Stack Exchange option is just a Stack Exchange-provided OpenID. You can use that login with any OpenID-enabled website, including Stack Overflow. I can't believe you felt comfortable writing "they strongly encourage you to sign in using Facebook"

Furthermore, they don't even use the Facebook login you're thinking of. Facebook supports oauth, so they connect via that. They're not cleverly stealing all your Facebook data; oauth doesn't work that way. It just got funny when you complained that the password requirements were more complicated than banks, since banks are regularly mocked for their incredibly insecure password requirements

As far as I know they've never published what percentage of users use which type of OpenID, but I know at least myOpenID is very popular. Why you chose to use your Facebook account from one of a dozen options and then bitched that you used your Facebook account is completely beyond me

This is what password managers are for. Here's one that the manager I use generated for me:

   87NTK7g9M;xwF@aQ7tqTK{d(87ftLd4(;a$w]#f7X4<yAFNFwk
I believe that meets their requirements.

I like StackOverflow's login implementation. I believe StackOverflow was the first site I encountered that I wanted to sign up for and whose OpenID implementation accepted i-names. I had =tzs for something like 2 or 3 years before finally being able to actually use it.

StackOverflow is just doing the right thing enforcing a strict password rule. If people don't want to create an account with a strong password and instead end up using FB connect, then it's just what the user chose. I don't think that amounts to StackOverflow being cunning and tricking anybody. I get your point but don't think you should use those words.
kmontrose of StackOverflow informed me in his comment that this in fact was not their intention at all. Futhermore, they don't use any of their user's Facebook profile data. I now realize it was a bit of a stretch to say that Stack Overflow engineered their UX in this manner.

Regardless, the strong password requirement DID convince me to sign in using my Facebook credentials, and I'm sure it will convince others as well. In conclusion, I think a very strong password could actually funnel users into signing in with 3rd party credentials.

Wow, the risks of putting your own blog post on HN :-)

If you're reading edawerd, One Password and other tools like it are real lifesavers in this sort of situation.