I can't be trusted. Neither can you.
If you have me make a password, I'll do one of these things:
- Use the same password on other sites because I don't want to try and remember them all
- Make a fake email address and password just for your site because I don't trust you
- Make a new password for your site and forget it, then cause you to have to support resetting it for me
- Just not sign up at all, it's not worth the emotional baggage
And if you decide to have me sign up with a new password, you'll have to do these things:
- Make sure that you hash and salt the password in your database
- Make sure that you give me a secure connection to send my password over the wire when I first log-in
- Secure access to your web server, since it will be having my password in memory
- Create a secondary method of authentication, since I could forget my password
- All kinds of other stuff an expert on web security would know that I wouldn't
I've become more aware of this problem, as my iTunes account was compromised somehow and someone charged some $50 gift certificates to it.
Of course I had to go change all my passwords for any accounts that shared that password, and that is a big hassle. Yes, I know I shouldn't be using the same password for multiple sites, but it is so annoying trying to keep track of multiple passwords.
I am using LastPass now, we'll see how that works out.
Just don't do it
So rather than making people resort to a service like LastPass, just do the right thing. Let someone else handle the authentication for you.
There are plenty of solutions out there.
Personally, I don't care which one you use. Most people are going to have an account on all three. I like to imagine that someday the world would be a perfect place where there is only one place you log in, but until that day, don't pollute the space more!
If you really feel that you need to create a login system for your application, consider this:
Users like easy
More people will sign up for your site if they don't have to sign up for your site. I can't count the number of sites where I got halfway through the sign-up process and closed the web page, because I just didn't feel like it was worth the effort.
On the other hand, there are many sites that had OpenID for a sign in or sign in with Facebook, and I quickly joined, because it was almost no effort.
Consider how easy it is to sign up for StackOverFlow.com, and how easy it is to log back in. Often I will google some search result and get to the site not intending to log in, but then I remember how easy it is and I just click the Google OpenID button and I am logged in. Just like that. I like easy mode for web sites.
Best security is to delegate
As a developer I have a motto: “I suck at security.” Unless you are an expert in security, (probably even if you are), you should have that motto too. It doesn't mean not to learn about security. It doesn't mean to not enforce security as best you know how. It just means realize that whatever you think you know, you still suck, and it won't be good enough.
If you take that mindset you are much less likely to be over-confident and think that your mad cryptographic I-once-took-a-class-on-cryptography skills will be sufficient. If you take the mindset of “sucking” at security, you are going to want to delegate security to someone and somewhere else.
The best way to be secure is to give the responsibility over to someone whose job it is and knows it inside out. Don't want to close credit card numbers? Good… don't store them. Don't want to risk your users passwords? Good, don't store those either.
Off topic here. I am taking a short vacation (no relation to iTune incident), so there won't be blog posts on my usual schedule for a bit.