With the hacked of Gawker Media sites and the release of a list of users and passwords stored on the sites, people all over the Internet started reacting to the news and offering techniques on how this can be resolved.
Some of the proposed techniques include getting rid of the user database implemented on many websites and let an external application handle the customer login using credentials from others sites like Twitter, Facebook and OpenID. In my personal opinion, I really don’t like any of these mechanism because I really don’t trust these companies. Your could argue that they might have better protection than some guy’s new web service that just launched in 30 days to test an idea. Maybe it’s true, but also this guy might have a better mechanism to prevent this kind of leaks than the big companies.
Also, I think it’s not true that having a single point for user authentication is going to resolve the whole issue. Compare it with credit card fraud. Do you think you can solve the credit card theft problem by just having ONE card with a $300,000 limit than having multiple cards with, say $5,000 limits? If someone steals one of the cards, you only loose the 5,000. If you someone steals your ONLY card, you might loose $300,000 and you’re left with NO card. This is call spreading the risk.
A different approach that we use on our sites is to generate a random and strong password automatically for the user and send it to their email. We give them access to what they’re requesting on the site with just entering the email (and other information if necessary) and then email them the password generated. When they decide to come back to the site, they used the autogenerated password. They can change it if they want, but we took that step out of the funnel (guessing and thinking what password to put on) and just let them proceed to perform the requesting transaction and letting them now in an email how to continue using our sites in the future with their new strong password.