Be Careful With OpenID

No, there is nothing wrong with OpenID, and there is nothing to worry about security or privacy. Giant players like Yahoo! and Google has also been implementing OpenID for quite some time.

I lost my account at Stack Overflow because I was using WordPress.com as an OpenID. Well, I lost it for about a day because the nice people at Stack Overflow was nice enough to help me merge my previous account and a new account I just created.

What happened? I used OpenID without a full understanding on how it works. I used my WordPress.com URL http://romantika.wordpress.com which I used as a placeholder back then to get an API key for Akismet. What WordPress does is embed the OpenID endpoints into each of the blog URL. For example:

<link rel='openid.server' href='http://romantika.wordpress.com/?openidserver=1' />
<link rel='openid.delegate' href='http://romantika.wordpress.com/' />

One important thing that you need to realize is that once you deleted a blog URL in WordPress.com, you will never get it back and a page saying that the blog has been deleted will be displayed. I deleted my WordPress.com blog to prevent it from becoming an eyesore, and to avoid redundancy. Little did I know that my OpenID vanishes along with the blog.

I would not have lost my Stack Overflow account if I realized earlier that they already allow multiple OpenIDs. So if one OpenID provider vanishes, I can use the alternatives and not bug the guys at Stack Overflow. Although, they did mention:

Accounts are keyed on unique OpenID strings, so if by some accident you end up with multiple accounts, or a “new” registered account you don’t want — don’t fret! It is super easy for us to merge any two (or more) Stack Overflow accounts. Just email us at [email protected] with the user IDs or the user page URLs. We’ll merge them for you no problem.

For my next projects, if I include OpenID support I will definitely follow the steps of Stack Overflow by allowing multiple OpenIDs to be attached to one account.