Frustration with Unified Identities

by Robert Cooper

So I am frustrated...

A couple days ago, I got an email from Yahoo!:
Your Yahoo! ID is: kebernet
Your password for this account has recently been changed. You don't
need to do anything, this message is simply a notification to protect
the security of your account.

Please note: your new password may take awhile to activate. If it
doesn't work on your first try, please try it again later.

DO NOT REPLY TO THIS MESSAGE. For further help or to contact support, please

You can always change your password by doing the following:

1. Sign in to any Yahoo! service
2. Click on any "Account Info" link
3. Choose "Change Password"

If you cannot find an "Account Info" link, you can sign in to My Yahoo!
( and you'll find it in the upper right corner.


Since I am neither an AOL user, nor have I been to IL anytime soon, it is obvious someone has pwned my Yahoo account. Fine.

Yahoo customer service has been decidedly unhelpful in helping me regain control of my account, which doesn't increase my mood at all. However, it has me thinking more and more about one of the problems with unified identities:

I now can't use my Yahoo! IM account. Flickr is out. I can't control the mailing lists that are directed at my inbox through Yahoo groups. Now really, if it were any one of these services that I had lost control over, that would be inconvenient. However, with a unified identity, I have now lost control over a large block of things that I actually do use.

With all the talk about "Web 2.0" and loosely coupled web services, what happens when some of those loosely coupled services are tied to a monolithic identity system? Honestly, between all the Yahoo merchants I have purchased from over the years not to mention HotJobs, and all the various things tied to that account, I don't even know what information might be attached to it.

Is a monolithic identity, even within an organization, really such a good idea?


2005-12-04 13:17:46
Standard or Secure Sign-On?
By any chance, were you in the habit of using the standard sign-on to Yahoo rather than the secure sign-on?

I cannot figure out why Yahoo offers the standard sign-on nor why anyone would use it. Sending passwords across the Internet in cleartext is just not smart. And if you're in a cafe using their free wireless access, you could be broadcasting your password to any semi-knowledgeable nasty person within a decent radius.

FWIW, Google's Gmail service doesn't give you the option. It's simply secure.

2005-12-04 14:16:51
Standard or Secure Sign-On?
Well, and I will freely admit some of this is my faut. The Yahoo account is ancient. The password was not a very good one and I should have changed it.

I am honestly not sure about my sign ons. I did use the Yahoo IM, and I don't know if that encrypts your password, but I would bet against it. It did, however, happen within a few hours of my having logged into Yahoo groups for the first time in a long time in order to subscribe to the Rialto dev list.