Why I Hate Registration (And You Should Too)
Every time a website wants me to register a new account, I reflexively tense up and feel my blood pressure rising. Sure, it’s inconvenient, but that’s not why I do it. I do it because using your own registration system as the only option is abysmal security. Here’s why.
The first problem I have is that now I have a new login to manage. Good security dictates that you should use unique and complex passwords for each account you have, and preferably variable usernames. This sounds like a great idea, but when you have to register for several dozen different sites, that quickly becomes impractical. While you could use a password manager like KeePass or LastPass, this often chains down your passwords to a single PC or a thumbdrive, neither of which is convenient. The reality is that you’ll have a few passwords that you’ll rotate out periodically.
The second problem is that you now have to trust the site you’re registering on with managing proper security. Preventing intrusions is a tough sell even for major sites, much less smaller ones. If the site you just registered on gets compromised, your login details could be exposed and if you’ve used them on another site, those get compromised as well. Hashed passwords are no protection either; using a relatively cheap video card, even complex passwords can be cracked in a matter of minutes. Your last hope is that the website operator was smart enough to salt their hashes before storing them, and that the salt wasn’t compromised either.
The final problem I have is that it is very, very easy to integrate third-party registration and authentication solutions into your website. Twitter, Facebook, and Google all make it very easy to use OAuth, a solution that does not require that you store user credentials and provides most of the information you need for registration processes. Heck, even Yahoo and LinkedIn use OAuth if you’re so inclined. Between all of those providers, the odds are good that almost all of your users will have and be willing to use at least one of them to sign up. Sure, keep an in-house registration system as a fallback, but do not make it your primary account system. The ease of using a third-party system means there is no excuse for not doing so.
All of this is in addition to the obvious convenience factor of using an existing account. Please, for the love, allow people to use their existing accounts. Users will thank you later.
“The second problem is that you now have to trust the site you’re registering on with managing proper security.”
This is the BIG one. Nothing angers me more than when I sign up for a website and they EMAIL ME MY PASSWORD! This means they are most likely storing it in plain text which is really, really, really obnoxious and stupid. This is something some 20-year-old n00b would do when writing his own authentication system. (I know. Haha.)
OAuth is awesome. I’ll be integrating that into a site I’m working on next week.
Great to find an article about this serious issue, and to give users a forum where they can voice their views. Kudos!
What bothers me the most as a computer and internet user who has witnessed the personal computer revolution and the birth of the internet, is how serious the problem has become over the years and the inherent fascism of registration itself: now, more than ever, someone has to register at every place they visit, sometimes for things as simple as approving or disapproving a comment or it’s modern variant, ‘liking’!!!
Do you, for a minute, imagine a world where going into a store requires you to enter your credentials, or getting out of the house and engaging into a discussion with a passerby? THIS is the problem I am referring to, and I sure don’t want to live in a society where everything I do is monitored and accounted!
Registration is the antithesis of freedom and its most important online variant, free expression. It is always done in the guise of ‘security’ but more often than not it’s done for the simple purpose of censorship and control. And if there is anything that every person should seriously ponder, it is the famous fallacy of ‘if you have nothing to hide, you have nothing to fear’. History tells us otherwise and if anything, privacy and anonymity has always been the bastion of freedom for citizens and its public variant, secrecy, tyranny for governments.
What we need as a society is to seriously re-evaluate these concepts and reestablish the clear rules which are the foundations of our modern democracies that are under attack, the principles of the sacredness of private life and the duty of transparency of those in public life to whom we have entrusted the power and responsibility to govern us.
Registration is tyranny, and it’s high time people in public life recognized they have a duty to uphold respect for other people’s private life and stop trying to control everything, especially other people’s opinions, however distasteful it may appear.
Again, thank you for this great post. A fundamental societal discussion on the subject is sorely needed. Kudos for getting the ball rolling!