If you are pasting passwords, you are really using an ad hoc third-party SSO aut...

epistasis · on May 18, 2017

>ad hoc third-party SSO authentication provider (which may or may not also use the equivalent of 2FA) via a manual token-exhange mechanism

This is a huge step up from a memorized password. Go ahead and implement OpenID too, but don't force people down to the level of memorized passwords needlessly. Expending effort to prevent pasting is a stupid move.

dragonwriter · on May 18, 2017

> Expending effort to prevent pasting is a stupid move.

Oh, I agree. I was more talking about people who have already expended that effort (so its zero marginal effort) and are considering reversing it (which as a small but non-zero cost.)

sanderjd · on May 18, 2017

Think of it this way: passwords are a more standard API than OpenID. Since passwords are the standard, they are "implemented" by all your clients. That cannot be said for OpenID.

dragonwriter · on May 18, 2017

I'm not suggesting "don't implement passwords" (which are first-party authentication) or "don't support password pasting" (which mainly supports ad hoc third-party authentication with a manual token exchange), but if you are actively choosing to support pasting (and, thus, third-party SSO with a clumsy UI), you should also strongly consider supporting third-party authentication with a decent UI.

sanderjd · on May 18, 2017

The password manager solution is, if you'll allow me to strain your analogy a bit, "second-party SSO". That is, it's SSO that I, the user, manage however I prefer. Password pasting is an extensible API for achieving that.

But we don't disagree, folks should definitely implement things like OpenID.

lmm · on May 18, 2017

Passwords offer a much more consistent UX across sites and leave the user much more in control. Plain text is a lowest common denominator but that allows a lot of tools to work with it that can't handle fancier models.