let people log in with Twitter and Facebook, to make StackExchange reputations easily exportable to other platforms.
StackOverflow should change absolutely nothing about their login process. It is perfect. I anonymously answered one question, and all of a sudden I have a profile. No confirmation e-mail, no Facebook or Twitter crap. Just use the site and bam! you're registered. It remembers me every time I come back and it makes absolutely no fucking attempt to worm its way into my social graph.
Just be careful with your account in that state. Stackoverflow only knows your account by a cookie right now. You can't log into it from another machine or if you happen to clear your cookies you won't be able to log back in.
So it is in your best interest to "solidify" your membership if you care about your account.
well, as long as you provide a valid email (we don't check) you can do an account recovery to reinstate your cookie via email. The main limitation of being unregistered is that you can't ever vote on anything -- but you DO accrue other non-voting privileges through reputation like regular users.
SO probably doesn't want too many unregistered users floating around. Also, one of success metrics for an Q&A site is the number of registered users. So, it does make sense to force users to go through almost painless process of registering before they really start engaging in the site.
I have a post I made before I registered my account. How do I tie that post into my existing account now, or can I only "import" old posts during registration? That's a disappointment. :/
I can see why a non tech-savvy user would be confused by OpenID but I it surprises me how many programmers are confused by it.
On the login page they list a bunch of common providers you can login with if you already have an account with them: Google, Yahoo, AOL, Facebook, etc. Click their icon, type in your credentials.
If you don't have an account with one of those or don't wish to use them then it has a big register link to sign up with a myOpenID account.
You're making the same mistake as people who try to get programmers to fix their printer because programmers are "computer people." Competence with one technology does not confer instant familiarity with another — and however clear you might find OpenID, just the array of company logos alone is kind of overwhelming and highly unusual. Pretty much the opposite of "Don't make me think."
Yes, but Stack Overflow's signup screen takes more thinking than most sites (by virtue of being different, not to mention its complexity). Amazon's signup is far simpler and it does not seem to be terribly insecure.
OpenID makes absolutely no sense to me. Unless they have the sites in a drop down it takes about 5 minutes to read the OpenID spec, google around for where to get the openID url and paste it into the box. OpenID is a solution in search of a problem.
It may have actually been useful if it leveraged DNS SRV records so you could login as foo@bar.com and it would query SRV _openid.bar.com for the URL.
I'm working on a spec similar to this, but using TXT records (as they're URLs, not just servers). I wonder if anyone would be interested in me putting up what I have on this already?
That flexibility is what killed me with SO. I used the site for many months after creating an account, always recognized when I returned to the site.
Then one day I was signed out -- the cookie finally timed out, or was cleared somehow, etc., and I arrived at the login page, and was totally stymied. I always sign up for new services using their_domain@my_domain.tld, and that hadn't been possible here, apparently, because asking for a reminder with stackoverflow@my_domain.tld failed.
Ah, I must have registered with an account at any of these half-dozen sites. Well, I have accounts at all of them -- sometimes multiple accounts for different purposes -- all using different email addresses. I had no recollection at all of which I had chosen; I was totally stymied.
After a few days of trying different ways of getting in, I finally figured out the right one (still don't recall), and then could set stackoverflow@my_domain.tld as my backup email, so now I'm covered... but it was the worst sign-in experience I've ever had.
I'll give you the example of the OnStartups answers community. I am logged in on Safari, and when I go to my user page, it says my OpenID is from Yahoo. Fine.
Now I open Firefox. I try to login to OnStartups, because it doesn't know who I am. I click on Yahoo, go through the authentication process. Guess what: it says it can't find that account on OnStartups (wrong answer), but finds it on StackOverflow, and asks me if I want to link it to my new account. What???
Are you this Alain? http://answers.onstartups.com/users/502/alain-raynaud if so then your account looks up to date to me, and you were able to log in through Facebook. Realize that this was a legacy SE 1.0 site we imported over, so your account may have had some very old stuff in it, and it may not be representative of SE 2.0 logins.
Respectfully, "We did something on the backend and now some logins no longer function" is a fairly common implementation flaw with OpenID. This is a pretty serious Oops for an identity system. The traditional username/password pair is virtually immune to this, if we assume the developers are competent. (Competence will not solve OpenID delegation, as one example. It is virtually immune to comprehension by mortal minds.)
Something for other HNers to keep in mind if they are considering openID for their next project (flee, flee!)
Speaking generally, I agree, competence is a risky assumption. It isn't risky about the SO devs: I've met some, they're sharp. They're certainly well-past sharp enough to get username/password working right.
But OpenID is easy to screw up. Practically everyone has enormous problems with their implementations. (This goes seven times over for yours truly.) Which is (yet another) knock against choosing OpenID for anything important, versus systems which evidence exists can be implemented correctly. It is possible to bork username/password, but it is possible to implement it mostly correctly, too. I do not think it is possible to implement OpenID correctly. (For what it's worth, StackOverflow's is the best implementation I've seen from the user's perspective.)
The implementation issues comprise a very good point. Do you think this is solvable by better libraries? I've been working on my own solid implementation of OpenID for Django to plug-n-play with the built-in authentication system. Can it be saved and, if not, what's the alternative? Teach developers about bcrypt?
I recently had a problem with their account management as well: SE forgot who I am, and created a new account for my e-mail address. I then recovered my original account, and ended up being logged in as different users (with identical credentials) on the normal site and the meta site.
I do think the no-login approach is exactly right, but their implementation seems a little buggy.
Careful. If a user bypasses a warning dialog from the operating system to run a program they download from the Internet, is it still the OS's fault if it is malware?
Sometimes providing a perfect user experience is equivalent to solving the halting problem and not recognizing this is as big a problem as believing that all problems are the user's fault.
Yes. It's likely a 'Cry wolf' issue where the OS sends warning dialogs about every download, even safe ones. So the user thinks it's similar file so it's no problem.
Users had complaints about Windows UAC doing this for every instance (not just downloads).
It's likely a 'Cry wolf' issue where the OS sends warning dialogs about every download, even safe ones.
Right. This misunderstanding was the entire point of my post. Distinguishing between the "safe" downloads and the "unsafe" downloads is an instance of solving the halting problem.
Also, I was thinking of the Chrome "Run Application" dialog, not the UAC.
An exception can be found for every rule, in just about anything.
Nitpicking specific examples and then saying "oh, well this disproves it" proves nothing. 99 out of a 100 times, blaming the user isn't the right move. For the sake of brevity, I used ever and always.
Ah, but we're discussing a specific domain, security, where I think "the user is always right" is often wrong. Requiring a user to memorize 10+ essentially random characters, for example, is an awful user experience, but it is required for security purposes.
Personally, I prefer keys (long, randomly-generated passwords stored in a file or device) to passwords, but I don't know of any reasonable way to authenticate to a webapp with a key.
I've got an openID login for stackoverflow and it's a pain to constantly re-log-in. AND the orange 'welcome' pop-over is really obnoxious. I've mostly abandoned participating there after getting barely 1000 karma a year ago.
Having to do account recovery to recover the cookie is a perfectly valid technical response I guess. However since cookies are invisible, and account recovery is normally a big scary thing, it boils down to this:
(a) the end user has lost something invisible that they didn't even know they had
(b) the method of recovering the invisible token is to go to what is probably the last place they are going to look
No, you can participate (well, post answers/questions; no rep is gained) as an unregistered user without giving us an e-mail address at all (or even giving us a bogus one, we don't check).
If you do provide one, it lets you recover your cookie based account is all.
The "account" is as throw away as you want it to be, basically.
Sorry I was not clear and it is not terribly important. I've just wondered what it actually means to be "registered." If I have recovered my cookie-based account it means the account has been verified by e-mail. I'm just wondering isn't that a form of registration without having to have used OpenID?
Its mostly a distinction between "can login with one click (Registered with OpenId/Facebook)" and "can login with a crazy convoluted path (provide email [again], check email for link, etc.) (Unregistered)".
You can get the lion's share of a Stack Exchange's utility without registering, and this is quite intentional.
Ah, my bad; been a long time since I've had to do anything as an unregistered user, mis-remembered.
Looking at the code, we do require something that looks like an e-mail, for recovery purposes (I assume, that code predates me by a bit). It is not, however, verified.
StackOverflow should change absolutely nothing about their login process. It is perfect. I anonymously answered one question, and all of a sudden I have a profile. No confirmation e-mail, no Facebook or Twitter crap. Just use the site and bam! you're registered. It remembers me every time I come back and it makes absolutely no fucking attempt to worm its way into my social graph.