... asking users to input their email address and password from a third-party site like GMail or Yahoo Mail is completely unacceptable

Adactio: Journal—The password anti-pattern

Jeremy Keith's password anti-pattern post came across my radar again recently. This was written almost 21 years ago in Internet time (2007), and it's still an issue today, even with the growth of OAuth as an alternative.

We should start a shame file. I've only just signed up for it, and it looks like it might be really useful, but the first entry is Dropbox.

I think it is well established that HTTP Authentication needs a major kick in the ass and OpenID and OAuth may get us most of the way there. However, until I see RFC#’s attached to both I’m hardly going to consider them to be complete. I propose the creation of an IETF WG on Identity and Authentication. The WG would be chartered to produce two RFC’s covering each of the two areas. OpenID and OAuth could be used to seed the WG effort.

• snellspace.com » Blog Archive » Identity and Authentication