[OpenID] My password is 'password'

Sat Nov 28 20:48:47 UTC 2009

Shade,

You bring up an important topic, and one that is very difficult to address.

First, I think that the mental model of "identity" in the general populace
does not well match the model that many of us share, and user education
[alone] is always a nearly-impossible approach to changing behavior.

Second, the behavior that you've described is a hard one to combat for many
reasons. For one, as you said, people have been "trained" to cough up their
password whenever someone asks so that they can move on. My intuition tells
me that the password prompt is the new clickwrap screen and people just plow
right through it without even thinking about who's asking for the password.
Of course this explains why phishing is so successful.

Thus, given this, I think there needs to be a somewhat different model
advanced, where an individual closely associates some aspect of their
profile (be it profile data, friends, photos, etc) with a given identity or
identity provider.

I wrote more about this on my blog:

http://factoryjoe.com/blog/2009/11/27/designing-for-the-gut/

In sum, don't try to develop a solution that is rational per se — or
front-loads the sign in task — but instead aligns with one's "gut" feeling
about where they are or what they're trying to do.

If you rephrased your proposal to be more like "perhaps we could help people
understand that they store their 'identity stuff' somewhere other than the
website they're currently on and need to go get it", maybe then you'd have a
closer framing to how regular folks think about this kind of stuff.

In other words, no one thinks about "identity" explicitly — I imagine they
have a near-approximation of who they "are being" in that moment, and then
act accordingly, just as you use a pseudonym on this list but probably your
real name when you interact with, say, your family. You know not to sign
your posts with anything but Shade, and to send emails from a specific email
account. You do this all implicitly; instinctually. You don't need to think
about it.

In a similar way, we need to design solutions that map to people's mental
models of themselves as actors in the world doing things... and then go from
there.

Chris

On Sat, Nov 28, 2009 at 10:05 AM, SitG Admin <
sysadmin at shadowsinthegarden.com> wrote:

> Thinking on the past discussions about countering users' training to enter
> their passwords at a prompt, I wonder if they can instead be trained to
> enter their actual password when at the main site, and 'identity' (or
> 'openid', or any number of accepted synonyms) when elsewhere, thus providing
> a solution to two problems:
>
> 1) Counter-training users instead of un-training them (the latter weakens
> their habits at the main site).
> 2) How to indicate that they want to login with an OpenID (external)
> Identity rather than log in as a normal user for the RP/site in question.
>
> -Shade
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>

-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091128/6da7e75a/attachment.htm>