Saturday, May 05, 2012

Dear Web Developers, Stop making login systems

It seems to be a rite of passage to author a login system - or several login systems - over the course of one's life as a web developer.  Some systems are more elegant than others but I have to ask:  Is it really necessary?

Let me provide some background.  I was mulling one day and realized that every website I've ever come across has one of two problems:
  1. Multiple login systems all over the place with multiple registration mechanisms (the result of using open source products or just bad programming habits).
  2. Some homegrown, half-baked solution riddled with security issues and poor UI design choices that breaks in half the browsers out there and irritating every user who uses the system.
Or some mix of both problems.  And don't think it is just limited to cheesy little one-off implementations.  Major big-name websites that people actually use every day are all in the same boat with the little dinky one-off sites.


Then I got to thinking about how many man-hours are wasted every year dealing with login systems.  It takes about half an hour to build a login system (one of the cheesy one-off varieties that have zero security - salting and hashing passwords isn't good enough, BTW).  But that's where the problems start - you discover shortly after that there are spammers, hackers, script kiddies, trolls, etc.  So if you deal with those folks, that's about three months of development time over the lifetime of the system.  But if you don't deal with those folks, your websites will be hacked or spammed to death in short order.  If every programmer, approximately 12 million people in the world (and growing), constructs at least one login system every couple of years, that's roughly:

12,000,000 * 3 * 31 * 24 / 2 = 13,392,000,000 hours

This says to me that approximately 13.4 billion man-hours are wasted each year dealing with login systems.  Okay, so not every programmer writes for the web or authors a login system, but we're still talking about an estimated minimum of two billion hours wasted each year.

This utter waste of time ends now.

Over the past 6 1/2 months, I've been working on a brand new platform:

Single Sign-On Server/Client

This offers a complete generic login system within a complete SSO server and client pair.  This system is so much more than just your average login system:  Under the hood is a powerful system that scales out with high-availability and offers all sorts of useful security features.  Usually with scalability comes end-user complexity but I've done my best to cover over the complexities with a nice administration interface and fairly simple installers.  Whatever I was not able to deal with in the admin interface, I thoroughly documented.

For your next project, consider using this SSO server and client instead of rolling your own login system.  You'll save time, money, and hair.

1 comment:

  1. While I understand your argument, and there is a good chance I'll use a solution like your SSO for projects I make, creating my own half-baked login system has taught me more about security than anything else.

    ReplyDelete