Rather than having Internet visitors maintain an easily forgettable bunch of passwords, Web application builders should use federated identity services, enabling users to have just a few passwords protected by entities with substantial resources in security, XML co-inventor Tim Bray argues.
With federated identity, users sign into multiple sites via accounts with a major Web providers, such as Facebook or Twitter. This, he said, enables users to create a good hard-to-remember password instead of having to recall a bunch of them. Companies like Google and Facebook employ hundreds of engineers who look for intruders, said Bray, speaking at the DevBeat conference in San Francisco this week: "You're better off putting all your eggs in one basket and watching that basket very carefully."
He panned the practice of having users pick and maintain passwords. "Passwords are bad. They are not your friends. They are not your users' friends," said Bray, developer advocate at Google. Users are subjected to cumbersome requirements, such as having to have passwords that are eight characters long, with one alpha character, he notes. "If you do this, you are being mean to people."
Compounding the issue, typing passwords on mobile devices is a problem, he adds. "It's a horrible, horrible experience."
Users cannot remember passwords, so they end up having to go through password recovery via email. Or users use the same password for every site, resulting in a security issue if this password is ever stolen, Bray notes. He also cited major incidents of passwords being leaked from sites like Yahoo and LinkedIn, and the existence of online services that even sell user account data. "[Bad actors] want to get those passwords and use them on the user's bank accounts."
Bray's arguments persuaded developer Christian Hansen of CrowdCurity, which does security testing. "It makes sense to have just two or three accounts where you store your passwords," Hansen said.
This story, "XML co-inventor: Now's the time for federated identity," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.