By Janrain Team | Posted on January 28, 2010
Last week, the NY Times published an article entitled “If Your Password Is 123456, Just Make It HackMe.” There were a number of great points in the article, and in the follow on posts by readers.
This article solicited over 140 comments from all over the world before the NY Times closed the article to comments in just several hours. The most popular responses gave suggestions on how to make your password management more intuitive and secure.
There were some great suggestions for how people can manage site specific passwords, but the bigger question is why should you need to have a unique username and password for every website that you visit? Most corporations have deployed an approach called single sign-on (SSO) to eliminate this problem for their employees. Once you login to your corporate intranet, you can instantly access sales, marketing, supply chain logistics, accounting, payroll, benefits, travel, 401K services, and a host of disparate web-based services via your corporate SSO identity – no unique usernames and passwords for each service.
Wouldn’t that be a great solution for people trying to access all their services on the web? Do you really need to have a separate username and password for your newspapers, magazines, phone company, utilities, airlines, college alumni websites, cable operators, hardware and software vendors, federal/state/local government agencies, car dealers, hotels, insurance companies, online retailers, etc.?
If you only had one or a few identities, it would be much easier and more practical to implement some of the article’s recommendations like picking a complex password or resetting it periodically. And what if someone was managing that password for you by proactively monitoring it to assure that it wasn’t being misused – using sophisticated technology and procedures like banks are using to prevent credit card fraud. Then imagine that you only have to login with that trusted password management service and your logins on all the websites you use are managed for you by one trusted partner. As a result, your password is never shared with other websites nor distributed across the web. Imagine being able to show up at the websites you use and just click on a button to login. No user name or password to remember for all those websites.
Well that solution is available today on over 9 million websites. The leading solution is based on an open source technology called OpenID which is being supported by Google, Yahoo, AOL, Microsoft, PayPal, IBM, Verisign, France Telecom, Telecom Italia, MySpace, Facebook, NEC, Mixi, and many others. There are also other vendor specific solutions by Microsoft, Twitter, and Facebook that provide similar functionality. The combination of these technologies is generally referred to as “user managed identity” (UMID). The general approach is that individuals create and manage their online identities by choosing one or more “identity providers” (IDP) like Google, Yahoo, Microsoft, PayPal, or Facebook to serve as their trusted agent for registering and logging into websites. You can read an earlier post summarizing recent developments in OpenID and UMID here.
So now is the time to become familiar with UMID. Try it on some websites when you see it as an option. And if you become a fan, request it from the other websites that you use. As more websites begin to deploy UMID options, and as more internet users demand it, we’ll achieve the momentum necessary to make this a standard part of everyone’s web experience.
See further comments here.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…