The infamous user/password combination has been with us for as long as we can remember. Proliferation of services on the Internet somewhat fuelled by the large increase of the online population has led to a “login hell” – so many places on the Internet require you to identify yourself that most of the normal people simply can’t keep up.

The result is unfortunately that people start using one and the same identity for many services, not realizing that once a site owner has their username/password, if the site owner is malicious, and the user is careless enough to use the same login for other sensitive services like online banking, the user is in a big trouble.

Those that are aware of the risks and keep a list of logins in a password manager application are annoyed by the number of logins they have to maintain, keep and back-up. Even worse, most of the services require a valid email, so you have to make sure that you have enough of disposal emails to last you forever (you aren’t using your real email address for a random Internet service, are you?).

Almost any site today requires a login. For some sites, this really is a necessity, for some, it’s simply a convenience. I was recently “infected” with the coding challenges on Code Golf. Naturally, because the whole concept is essentially a competition, the site requires a login. For some reason, they want my email and they want me to confirm the subscription by clicking to a link provided in the first email automatically sent by the system (this is a standard practice). I signed up several days ago but haven’t (yet) posted a single solution (out of 4).

The problem is that they never sent me a confirmation email. OK, I tried to signup again, but the username is already taken (by me!). Fine, I’ll contact them through the forum and let them know about this.

Well, I would have posted if I could – I needed to login to post to the forum! Excellent…

All of this would be much simpler with a system like CardSpace. Heck, for CodeGolf, just like for many other places, I wouldn’t even need to create a new card, but use a self-issued one, the same one I’d use on a myriad of other site. Code Golf doesn’t really care who I am, only that whenever I return to the site I can be uniquely identified, whichever user/real name I provided to the system.

This way, not only do Code Golf site administrators have to write their own login system, but they have to keep the username/password combinations too (or at least hashes of the passwords) and make sure their code works (there are bugs in the code that sends a verification email obviously).

In the end I might simply try to signup again, wasting my time trying to figure out another username and the space in their user database with at least one wasted username…