Webapps and user accounts

Posted in Uncategorized by elisehuard on January 19, 2009
  • If at all possible, don’t use user accounts. No login-password. We already keep too many of them, on so many sites.
  • If user accounts are really necessary, and security is not paramount, try to go with OpenID. See previous point.
  • If OpenID won’t cut it, use an email address as login. Chances are you’ll need one from your user anyway, so that removes the redundancy in login info.
  • Only if you want a nickname off your user, let them specify a username-password combination. Make it easy to retrieve lost passwords, because they will lose them.
  • use SSL with decent algorithm for any connection that sends passwords over the wire, otherwise you might as well drop the user accounts.



8 Responses

Subscribe to comments with RSS.

  1. Philip Paeps said, on January 20, 2009 at 8:53 am

    I wonder if the OpenID myth is a good idea.

    What’s wrong with client certificates?

  2. elisehuard said, on January 20, 2009 at 11:04 am

    euh, myth ? 🙂
    There’s nothing wrong with client certificates, it’s just that Joe User doesn’t really have one (yet). So far it’s mostly geek territory.

  3. Wouter Verhelst said, on January 20, 2009 at 6:45 pm

    Unless you’re a bank or something where security is insanely important, don’t impose any requirements on password security. Doing so will force most of your users to invent yet another password that they will forget anyway.

    Oh, and you can drop the ‘IMHO’ as far as I’m concerned 🙂

  4. Jan Claeys said, on January 27, 2009 at 8:00 pm

    Actually, most people use the same password on every site they have to register for (and often the same one for loging into their PC too). They will never forget their password… 😉

  5. elise said, on January 27, 2009 at 8:12 pm

    You could be right, unfortunately.

  6. Pascal Van Hecke said, on February 5, 2009 at 10:50 am

    For low-threshold apps you could even suffice with a not-expiring session cookie that can be restored by clicking a reminder link sent by email.
    So your users only needs access to her/his email to get back the session.
    Optionally you could send a (regenerated) password along with the email, but the user doesn’t actually need it.

  7. Pascal Van Hecke said, on February 5, 2009 at 10:51 am

    (If I’m not mistaken, one of those 37signal apps works that way)

  8. elise said, on February 5, 2009 at 10:57 am

    @pascal interesting – i didn’t know that option.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: