Skip to content

Using Twitter IDs for comments

January 30, 2010

I wrote about 90% of this post over four months ago, before I switched to wordpress.com. It seems a bit of a shame to just throw it all away, so here it is in all its glory…

So here’s the short story – I want to use allow readers of this blog to use their Twitter credentials to log in and leave comments.

A few weeks ago, Shahid bullied me into getting a twitter account. Up until today, I hadn’t found a use for it, but this morning I wanted to post a comment on Word Aligned, and the Disqus commenting system that Tom Guest uses there lets me log in with my Twitter credentials.

This is really nice. This I like.

Why this is a good idea

Ideally, from a security point of view, you’d use strong, unique passwords for every system/website that you can log into. Of course, in practice this never happens; either you:

  1. try to, but end up with so many that you forget them.
  2. store all of your unique passwords in one place that becomes [almost] as vulnerable as just using one password everywhere anyway (and then find that you don’t have access to your master password file when you’re away from your home computer).
  3. just use the same password everywhere.

The inherent problem with using the same password for everywhere is that every individual website that you log into stores and validates your information themselves. I have to trust every website to hold on tight to that information. I have to trust each website to not go round and try logging into all the other websites that I’ve used the same user/password combination for.

The fact of the matter is that all of those websites that are storing my username and password don’t actually need a username and password from me in the first place. All they really need to know if that I’m that same user that turned up two days ago.

This is where OpenID comes in. The basic idea is this; you have one account with one website, and only that website knows your password. Then, when other websites need to know who you are, they delegate to the OpenID provider. The first website never gets to see your password, they just turn to (e.g.) Google and say “is this joe.bloggs?” and if you’re logged into Google with your joe.bloggs account, Google says “yes”.

Why Twitter is better than Google

You could use Google to log you into other websites, but I’d rather you didn’t. Your email account is sacred. Keep it so. You can’t buy anything with your twitter account. If you forget your Credit Card PIN, you can’t get it sent to your Twitter account. Many, many websites include a “Forgot your password?” system that emails you your credentials. If someone gets into your email account, then they’re effectively a click or two away from getting into all those places too.

Much better then to use your Twitter (or wordpress.com) account to log you into these places. Sure, it means remembering two passwords (your Twitter one for your trivial stuff, your Google one for Google), but even I can just about manage that.

Enough already, let’s let people log in with Twitter

So we know it can be done, because WordAligned does it. But Tom uses Disqus, and I don’t know if I want to. Although Disqus does more good things than I need it to, it also takes away a few good things that I want to keep; for example I don’t want to lose my WYSIWYG rich-text editor. Yes, I want to outsource my user authentication, but I don’t want to outsource everything else. Yes, there may be 3 good reasons to use Disqus, but there are at least 4 good reasons not to.

I guess I ought to ask Tom what he thinks of Disqus; I mean, he’s been using it on his site for a lot longer than I’ve been looking into this. I had hoped that he’d already blogged about it, but  you (or, at least, I) can’t search his archieves, and Google can’t find anything for me either.

Not only that but Shahid hasn’t even got Twitter integrated into his site, even though he’s the one who made me sign up in the first place! And I thought these MBA-types were s’posed to be ahead of the curve…

Oh well, I guess I’m just going to have to make up my own mind.

So I think I might try Twit Connect, that in the spirit of all good things, does one thing and (hopefully) one thing well (for the record, I found out about this here, which led me to here).

Of course, now that I’m on wordpress.com, I can’t let users log in with their Twitter IDs, and I lost my WYSIWYG editor. So it’s all a bit of a moot point now. Still, at least I don’t have to keep upgrading wordpress…

Advertisements
3 Comments leave one →
  1. January 31, 2010 10:54 pm

    Ha! Glad I got you to sign up 🙂 I feel like I’m somewhat in the “comments are dead” camp (yes, irony abounds). There *should* be an integrated comment system with centralised authentication and neat aggregation of content in fun ways. Maybe it’s Facebook Connect. Not sure it’s actually here yet.

  2. February 10, 2010 7:02 pm

    Well, since you asked … I think Disqus is great, and I think the more people who use it the better it gets. My only concern would be if they aren’t fully prepared for all the new joiners they’re getting.

    More thoughts here: http://wordaligned.org/articles/comments-on-comments

  3. March 1, 2010 10:26 am

    Another vote for the delegation of password provision…

    http://www.guardian.co.uk/commentisfree/2010/feb/27/charlie-brooker-forgotten-your-password

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: