[freshhawk]

Am I crazy in thinking that this whole problem should have been solved a long time ago by making password management a responsibility of the browser, either by baking it in or mediating the exchange?

Combined with a simple standard for credential exchange (get request to example.com/login to get the list of required fields, post to https://example.com/login to login. Or more likely, some existing standard that handles more cases and is already thought out) this whole annoying problem is no longer affecting every person who uses the web.

Is it too late for this? I feel that it probably would be very difficult to make this work now, it's too late and the browsers wouldn't go up against google and facebook who now want to own and track your identity.

That makes me sad, that kind of stagnation cuts off whole important areas of progress for web users.

[superkarn]

Check out Mozilla Persona (used to be called BrowserID).

https://login.persona.org/about

[freshhawk]

Yes, I remember that.

Ugly solution that didn't expose a UI for sites that didn't support it and still had plain username/password forms. So it's completely impossible to bootstrap this by making some of the features useful to browser users before it was widespread.

Needed a js library because it worked at the wrong level of abstraction and put browserid.org in the middle of the transaction for no sensible reason (well no sensible technical reason but a perfectly sensible political one).

This was not developed by someone thinking "how can we solve a problem our users have" but by someone thinking "it would be advantageous to be in the middle of login transactions and there is a user problem we could bolt that functionality on to".

[natrius]

The persona.org middleman is only used when your email provider doesn't support BrowserID. It is temporary.

It is useful to browser users today. You don't have to remember a new password for each site or become less secure by giving the same password out to multiple sites. I'm going to use it on the next site I build.

[freshhawk]

I should have been more clear. I don't like browserID because there is no route for this to become widespread except for "a significant portion of sites implement this".

You know that saying about any spam solution that begins with "well first we change email" is a stupid solution? Same issue here.

First you need a good password manager front and center in the browser. Then you start augmenting the experience by allowing better integration with the password manager through some standard. If the user already uses the functionality for every site and the experience is better on sites that implement the standard then you might actually see real amounts of integration.

[natrius]

As a web developer, I think that using BrowserID in its current state without browser support is better than implementing my own authentication. As a web user, I'd prefer to use BrowserID to sign up for sites than use individual authentication systems. A system that is better for developers and better for users has a clear path to adoption.

[freshhawk]

I agree. BrowserID is a good authentication solution.

It's not a solution to the problem we're talking about though, I'm complaining about a lack of solutions for easy credential management.

Once everyone implements it then sure, you only need to remember your email password. Unless you have multiple personas, then you'll have a bunch of passwords. And realistically there will be a lot of sites that have different systems or antiquated username/password forms.

So aren't we back were we started? I need a password manager and I'd like my browser to be aware of my password manager and help mediate. BrowserID would be a great place for it to send the appropriate password for sure.