Well, uh... there is a price admission. To get something you've got to give something.
Considering stackoverflow provides tremendous resources once you get a few points AND it is not that hard to get the points, stackoverflow seems like far less of a pain than expertexchange or the various link-popup-polluted archives.
It's kind of a way out of the whole total-leaching thing. I'd imagine the hn news community would be excited.
there is a question/answer thread on stackoverflow that revolves around a post i made on my blog. seeing that the answers weren't reflecting as much as i personally know about the subject, i figured out how to log in to stack overflow. then i discovered i didn't have enough karma or whatever to leave a comment. i don't care enough to stick around however long it would take to get however much karma it would take to do that. so, too bad stackoverflow users, you're not getting the benefit of my knowledge.
SO isn't oriented around debate but around solving specific problems. I've asked many questions whose answers I needed. I've often gotten answers but not always. In this sense, "threads" or debates on some external issue are already a fail for SO's intent. I'm sure they're there but they're the exception.
Also - it takes 0 karma to answer a question and you get unlimited space. It takes 50 karma to leave a comment and you get about 200 words. If you've got lots of knowledge, you should have answered the question rather than tried to leave a comment on someone else's answer.
I can see his motivation for this -- I was thinking of this exact idea today. There are simply so many rudimentary questions new entrepreneurs ask that can be easily answered. Two examples that I've recently sought answers for are "how do I negotiate for domain names," and "how do I set up a credit card payments system on my website." These are two of many, many more.
I've been a reader of HN since the beginning and have found it an invaluable question/answer database. All my questions have likely been answered before (I've found some really obscure stuff!).
Most queries can be answered by searchyc.com or a Google search prepended with "site:news.ycombinator.com." It'd be nice to have unfiltered access to entrepreneurial questions, ranging from the broad to the very obscure.
StackOverflow works beautifully, IMO, and I hope this blossoms into an excellent complement to HN.
Hey. Regarding the "how do I set up a credit card payments system", you might like this free little ebook I put together when I was going through that particular hell:
That's actually a pretty wonderful e-book. I would change "credit card processor" to "payment gateway" in the subhed on page 14 to match the language throughout the rest of the book. Also, why no love for PayPal's Payflow Pro as a small business gateway?
Yeah. I'd personally prefer to see such a site using the same software as Hacker News, just on a subdomain. ask.ycombinator.com or something.. *Overflow is icky.
Am I the only one who's getting sick of the StackExchange sites? I like StackOverflow, but all of the StackExchange sites fall right into the uncanny valley for me.
I used to be very against StackOverflow's stance of only using OpenID as the login system. However, with the sheer multiplication of the StackExchange-powered sites, the initial investment in setting up an OpenID has, in my opinion, paid off.
I have had no problems (or difficulties) with OpenID - set up an account on myopenid.com, pasted two lines into the source of the root page of my domain that delegates to myopenid, and then I just use that.
I haven't come across a scenario where openid did not work. Care to elaborate?
I think of openid as the git of the login systems. Elegant in it's simplicity but comes with a minor learning curve and the benefits of climbing the learning curve far outweigh the cost of doing so. And very much like git, it takes 15 minutes to get over the learning curve if you are good with google and/or have some guidance.
i can relate to that - with logging with openid here in HN. I had to post an "ask hn" to catch attention of pg - who resolved it. I couldn't make head or tail of what was happening and strongly assumed that clickpass was at fault. Then pg said he had to fix some code.
Like everyone else in the world, I already have a well-established workflow for managing usernames and passwords. My favorite tool is 1Password for the Mac. It works seamlessly with the majority of websites. It doesn't work well with Stack Overflow. Most sites log me in with one keypress; Stack Overflow now takes two keypresses and a mouse click, and that's after I carefully set it up by hand, because the auto-learning feature doesn't work with OpenID.
I resisted using OpenID for months because I didn't want my login on Stack Overflow to be tied inextricably to my Yahoo or Google identity. I can change a password, and on well-designed sites I can even change a username, but I can't change my OpenID on Stack Overflow by any means that I can find.
(Yeah, I know I could have used some kind of identity-forwarding fu to use my own domain as an OpenID, and then forwarded the actual task of running an OpenID server to some other entity that I could change at will. Whatever. I don't want to have to read a goddamn FAQ in order to log in to Stack Overflow, of all things. Even the Treasury Department, which has the most baroque login scheme I have ever seen, involving a personalized plastic card and an onscreen keyboard, doesn't make me read a manual in order to use their site.)
(And, yeah, I know that there are honest and hardworking startups dedicated to providing me with an OpenID. Not to put too fine a point on it: If my Stack Overflow ID is going to be inextricably tied to somebody else's website being up, I'm going to pick a website that has been up for at least one decade, and promises to remain up for as many future decades as possible. If my identity can't be made to live as long as me, I've got a problem.)
So I finally gave in and signed up with my Yahoo OpenID. I have no idea why I picked them over Google. I doubt it was for their track record of preserving user privacy.
But the pain did not end, because I proceeded to forget which ID I had used. In their zeal to ensure that everyone on Earth is pre-provided with an OpenID, the standard's proponents have created a monster: My OpenIDs outnumber my uses for OpenID by an order of magnitude. I have a bunch of Google accounts, and I tried one or two of them, and then I just decided that I had better things to do than write that post on Stack Overflow. If I hadn't happened to have left another machine logged in to the site with a very long-term cookie, my username would be gone forever. (They can't email you a hint, because they don't capture email addresses.) At least now I've taught it to 1Password, and if that fails me I can Google up this rant. ;)
Sadly, all of this has had the Pavlovian effect of making me feel really angry every time I see the login screen at Stack Overflow, a truly useful and even inspiring site which I read fairly often. Never a second chance to make a first impression, I guess.
"Like everyone else in the world, I already have a well-established workflow for managing usernames and passwords."
Is this true? I was under the impression that password managers are very techie-oriented. Your average user uses "password" or an equally naive variation thereof, with a handful of username/password combinations. I don't think OpenID is intended solely for techie sites.
Your average user uses "password" or an equally naive variation thereof, with a handful of username/password combinations.
Yes. And... that's a well-established workflow, isn't it? ;)
It's a degenerate case, so I don't blame you for not catching my drift. But my point stands: Any user who sees a username/password form knows what to do immediately, and does it fairly instinctively. Even if the instinct is to do something much simpler than it is secure.
I don't know why I automatically interpreted "well-established workflow" to mean password management software. It must have been the juxtaposition of that sentence with "My favorite tool is 1Password for the Mac. Anyway, point taken.
I was under the impression that password managers are very techie-oriented ... I don't think OpenID is intended solely for techie sites.
I don't think the providers of OpenID intended for it to be techie-only, but my understanding of user research has shown that it's almost exclusively used by geeks.
I think OpenID has, at the conceptual level, a lot going for it. But in real-world execution, I can't stand it. I much prefer my own username/password protocols.
Nothing wrong with that but that just says you are a late adopter as far as this technology is concerned.
My stackoverflow is not inextricably linked to anything. My identity is my own home page (which by itself is uber cool). And my workflow has never been simpler.
(Oh and you can change your openid url on your stackoverflow profile page.)
No, not inertia. That seems to me a completely inappropriate "summary" of a well-structured reply.
I hate OpenID with a passion because it ties me to one way of working. I too have a well-managed workflow using different IDs and different passwords for nearly every site, ensuring that one leak doesn't destroy all my accounts. I don't need to invest a lot of time and effort learning about something that actually damages my current capabilities.
I would explain further, but since you don't seem to bother to read carefully, I won't take the time.
> I would explain further, but since you don't seem to bother to read carefully, I won't take the time.
That's not fair. I discarded 2 long drafts of the reply above and went with the most succinct one I could find.
This is exactly what inertia is. "I will not move to $new because I truly believe it destroys all the benefits I get from $old and now I have to invest time and effort to learn $new and rework my workflow to account for it."
I sincerely believe that the original parent is describing inertia.
Also, the one leak destroying all my accounts is a misunderstanding of openid. You can use separate openid providers and openids for various services. (I do.) Login without openid is a n to n problem, after openid it becomes a m to n problem and you can choose m as and how you want to. If you want you can still go with n to n.
And again, can you elaborate on what current capabilities does openid destroy? I can't see any.
OK, I regard this as an opportunity to learn. So far I have invested about 3 hours in trying to understand how I can use OpenID to do what I do now, and I feel none the wiser, and resent the loss of time. You appear to be that rarest of things - a knowledgable enthusiast who will try to communicate clearly.
So, here I am, approaching a new site that requires authentication. Under my current workflow I select a userid, which may, but need not, replicate an existing userid. I select a password which is unique, and an email address which is unique. I use these credentials to signup, then reply to the confirmation email.
Now I have an account on the new service using a userid with a unique password. If that password is compromised, none of my other accounts are compromised. Further, if the email address I use gets leaked, I know who leaked it. This is how I have confirmed that eMusic are email address leaking bastards.
This last capability is important to me, just as is the ability to use unique passwords wherever I go to avoid one leak compromising multiple accounts.
Can you now point me at a document that will show how to obtain the above facilities? I'd appreciate it.
Thanks.
EDIT:
In positioning myself to understand what you write or point me at, I have further found this:
I hope this helps. I think the problem with writing simple introductions to openid is that it just offers too many options and it is difficult to decide how to approach.
Here is an equivalent but by no means equal workflow[a].
Pre0. Choose your openids before you have the sites needing them! This is username/password registration/recovery/emails as it always was[b].
You come across a new site (web-app) and it supports openid login.
Registration workflow:
Reg0. We choose some openid from Pre0. Login into that openid at the openid provider's website in a new tab[c].
Reg1. We tell web-app our openid. What happens then is similar to a net banking/credit card transaction. Web-app takes us to openid provider's website. We say yes, we would like to register/authenticate/allow this and we are now registered and logged in.
Reg2. We can now safely log out of our openid provider in the other tab if we want. We will still remain logged in at the web-app. Rule of thumb: Openid provider doesn't know what is going on at the webapp and vice a versa and they cannot affect each other in any way at this stage. (Separate cookies, no shared sessions.)
You visit the website again.
Login Workflow:
Log1. We go to our openid provider first and login.[d]
Log2. Then we go to our web-app and put our openid in. Webapp does some talking behind the scenes with the openid server and logs us in.
Log3. After this point, web-app and openid provider do not talk or know whats going on at the other place. We logout of either server separately.
End of workflow.
[a] Initially, I replicated your workflow feature for feature but that felt like replicating a svn workflow in git. Just like git, openid is a new paradigm. One can replicate old workflow features in many many ways but methods of doing so are hardly instructive or interesting. If you want me to do so or bring back some/all feature(s) back into this workflow I will gladly do so, if only just to show that it can be easily done. openid is very much the git of the authentication world. It is a surprisingly elegant federated and distributed replacement for old small centralized island situations with a similar price in inertia and the learning curve.
[b] May I recommend not mixing your existing ids (yahoo/gmail/etc) with these openids. The single tool for a single job philosophy is nice. wordpress.com is my favourite openid provider, simple interface, minimal and trustworthy enough. myopenid.com is a more fully featured option.
[c] At the risk of sounding verbose and simultaneously committing the sin of not using example.com, here is an actual example. I am looking at the openid login box at stackoverflow.com (SO) and I own user.wordpress.com as an openid. I login to wordpress.com as "user" in a tab and then tell SO that I am user.wordpress.com. SO talks to WP and redirects me to WP. WP asks me what it should tell SO on my behalf. I am then taken back to SO. After this SO and WP do not talk amongst each other and I am logged in separately to both even though my username and password are stored and known only on WP. Neat.
[d] That takes care of any possibility of phising. (There is a chance of phising if you are not already logged in to your openid provider and web-app redirects you to a false page. To mitigate this, any respectable openid provider doesn't show a login form ever on a page that you could reach after redirection from a web-app.)
--
Here is the part about the home page thing I mentioned. You can make any page whose head portion you can edit an alias for an openid. So to carry forward our example in [c]. I put
in the head of kniwor-home-page.com which I own. Now kniwor-home-page.com is an openid. If tomorrow I lose faith in wordpress I just edit kniwor-home-page.com and let someone more trustworthy handle my username password login process. (I could potentially host a openid server myself on my own machine if I am paranoid enough.) This as I said is uber cool. I thus truly own my id!
And I think you one already see all the wonderful things this brings to the table once one is past the initial learning curve. Nothing of value from the old system is really lost and all of the old can be replicated easily. You could just sign up with a new open id provider every time you need a new registration if you want to replicate the old days but it is much more neat to distribute control and trust by importance and other personal metrics. Points of failures are just shifted from places that were not created to handle them (email providers) to places that are now designed with that explicit purpose in mind and a lot of emails double up as openids if you insist that that is where you want your points of failure.
Oh and you can change your openid url on your stackoverflow profile page.
Have you tried? Is this a special power unlocked by high karma, or something?
My profile page displays my OpenID url, thank god, or (as I already mentioned) I would have no idea what it was. But where, oh where, can I change it? The displayed value is greyed out and unclickable.
I am staring at my stackoverflow Edit Profile page right now. It has handy fields for "Display name", "email", "real name", "website", "location", "birthday", and "about me".
Oh, and there's "change picture".
It is an apparently elegant UI, not too cluttered, and there is no field for my OpenID URL, which is an ugly-ass string of Yahoo-derived GUID. Believe me, if that string was on this Edit form, I would expect to see it. It would stand out like a pit bull in a hamster cage.
But maybe I just can't see it. Age has not been kind. So please tell me how to change it; I sincerely want to know that I can.
New login. There is a new login on your profile page.
That will allow you to associate an alternate openid. You can swap alternate and primary openid on the profile page and every new login overwrites your primary openid.
- I had conceptualized as my goal as edit my OpenID and was therefore seeking for it on the edit page, not the main profile page.
- The words "New Login" seem unrelated to my goal: I have already logged in, so I don't need to log in again.
- If I did notice those words, I surely interpreted them as another way to say "Log out, so that someone else can log in with another name". Many other sites have such links, and when you click them they take you to a new login page, which is just what this one does. It looks for all the world like you've logged out and have to log in again. Only if you read the fine print do you find out that the second page is for logging in on top of your previous login. Because in OpenID world you can log in six or seven times to the same site! How intuitive.
this leads to a "who do you like/dislike openid"... but i think it is irrelevant. it is more "why such application force you on this ?"
this application is not about promoting openid, it is about ask/answering question on startup. So the identification and authentication should remain mainstream, not to uselessly disturb the user.
openid is an option, username/password, google, facebook and co provides others
I don't particularly like the OpenID either. It's crap security and crap usability, at least in all the implementations I've seen so far. I would love to see a great example of a great implementation. Anyone? :)
For what it's worth someone asked Joel this after the first DevDays in Boston and he said adding a normal username/password login was at the top of their list.
stackoverflow doesn't just use openid, they give you like a hundred different options. It's pretty surprising that they don't have it for stackexchange.
I just rechecked. StackOverflow does support a bunch of different providers -- but they're all based on OpenID. No support for Facebook or a "standard" username/email/password model.
I think for the SO userbase, it's likely fine. But, for other more mainstream audiences, OpenID is not ideal. Too much friction in the process.
StackOverflow does just use openid. It just happens that yahoo, google, facebook, etc are all openid providers. But SO only accepts openid as a login method. (Hence SE is the same currently, but that will change.)
Does anyone know what license is used for the stackoverflow code and where/if it's currently available? From reading the article is sounds like Jeff and company are making the software available to the public in some form. I'd really like to learn more about this.
That remains to be seen. I've seen quite a few systems come out over the years - MetaFilter clones and open source Reddit, to name just two - where a lot of new sites are created but then fail to thrive. A year or two later, hardly any exist anymore even though the original site is still doing fine. Technology isn't community, long term.
"Dave, I'm sorry, I can't let you (upvote|comment|put links in answers|do much of anything)"