Friday, July 12, 2013

Database Deadpool: 10:1 Odds Against Janrain's MyOpenID

Alert: If you obtained a naked OpenID from MyOpenID and then gave it to one or more other websites, quick!
Get another naked OpenID, from someone else, then update your profile on all those other websites.

What's a "naked OpenID"? It's a URL like this:
  • if you got it from MyOpenID, or

  • if you got it from Verisign, and so on,
as opposed to a "hidden OpenID" like your Google or Yahoo user id which you can use on other websites without having to set up separate passwords.

Where do I get a naked OpenID? Well, you could pick from the "Other Well Known & Simple Providers" list on the OpenID Cult Foundation website, just don't pick MyOpenID.
Naked OpenIDs aren't that popular for website logins, so chances are you will only have one or two to deal with. For example, on the SQL Anywhere forum,
  • go to your profile page,

  • click on User tools - authentication settings...

  • then click the Add new provider button.

  • That takes you to the User login page...

  • where you can "Enter your OpenID url"

  • and click Login to save it.

  • To check it, go back to User tools - authentication settings - Add new provider to see if it shows your new OpenID url.

Why should I bother?

Because the MyOpenID provider service is at death's door... it's no longer supported by Janrain, and it was recently off the air for days. That meant some folks (well, one folk) had trouble logging in to the SQL Anywhere Forum and other websites like StackExchange.

That's why the Database Deadpool is offering 10:1 odds against MyOpenID surviving much longer.

Don't take my word for it, check out all the noise on Twitter...

Twitter search results for "myopenid" on Monday, July 8, 2013 at 1:45 PM EST

 Robert Denton @robertdenton 4h  is down.
 Daniel Morrison @danielmorrison 4h
dammit, I can’t water my plants because
is down. #geekproblems
 from Collective Idea, Holland

 David Eisner @deisner 4h
Any idea when #myopenid will be up again, @Janrain? …
 Ariel Ben Horesh @ArielBH 6h
In the last few days I'm unable to use myopenid. is it dead?
 Paul Zagoridis @paulzag 7h
Most of you don't use @Janrain's  It's no 
longer supported, so you should migrate to another #OpenID service
 Thomas F. Nicolaisen @tfnico 10h
This is why properly sunsetting products is a good thing: @janrain 
lets  go down w/o warning nor status info.
 David R @davr 13h
So is @Janrain purposefully killing off myopenid or what? Failing 
of openID: if your ID provider dies, you're locked out of tons of accounts
 David K. Jones @tadmas 14h
Frustrated that MyOpenID is down right now. Sounds like they've 
been down for a few days. Time to set up another #OpenID provider, I guess.
 Ben Dornis @buildstarted 15h
hey, @openid. you should remove myopenid from your list of well 
known and simple providers as it's no longer actively maintained
 Ben Dornis @buildstarted 15h
so @janrain are "pioneers" of social identity yet they don't care 
about their products like myopenid
 Jan @jan 7 Jul
hey @janrain  is down for more than 12h now. 
what's up?
 Colin Charles @bytebot 6 Jul
What has happened to  ? @janrain any reason its dead? 
will it come back? #openid
 Alan Gardner @mr_urf 6 Jul
So MyOpenId appears to be gone :/
 Dod @TheRealDod 6 Jul
Urgent! Any decent (e.g. has SSL) #OpenID provider I could direct customers 
to now that  is dead? cc @Liberationtech
 Dod @TheRealDod 6 Jul
A few days after google critically wounds #RSS, @Janrain's MyOpenID goes 
down, messing up the #OpenID community. Bad week 4 hippie standards
 Marius Gedminas @mgedmin 6 Jul
Can't log in to using my OpenID because myOpenID says "An error 
has occured while attempting to fulfill your request."
 Anthony Steele @AnthonySteele 5 Jul
As soon as myopenid is back up, I can start movig my #stackoverflow account 
away from relying on #myopenid
 Eric A. Meyer @meyerweb 5 Jul
Could whoever is in charge of myOpenId·com give the reboot button a kick?  
(The reboot is for everyone. The kick is for me.)
 Anthony Steele @AnthonySteele 5 Jul
I can't log into #stackoverflow because myopenid is down. 
 Tom Novak @to_nov 5 Jul
#myopenid not working again. does anyone know whats going on?

OpenID: Your Very Own Single Point Of Failure

Think twice about using OpenIDs at all, naked or hidden. Ask yourself this, what happens to all the data when your OpenID provider goes dark?

Even if that doesn't worry you, what happens if an Evil Doer obtains your OpenID provider user id and password? It could be your MyOpenID password, or it could be your Google password since Google user ids can be used just like OpenIDs... in fact, your Google user id is an OpenID.

If that happens, then the Evil Doer has access to ALL the sites where you used that OpenID... because those other sites did not force you to set up different passwords.

Which is a very bad idea. 1995-06-02

OpenIDs aren't really intended to make your life easier, they are designed for companies like Janrain to "offer a database to collect, manage and leverage social profile data".

Ask yourself this: Does your bank let you login with your Google user id?

No, banks have other ways to take your money.

No comments: