I registered succesfully and I tried a couple of interesting vanity ids

• Default.aspx
  Result: accepted but doesn't work (404)
• index.php
  Result: it works (and I'm currently using it ^[1])

Tried to sign up and accidentally used a malformed email myemail+stackexchange.com, forgetting to add the @gmail part. I saw no indication of any problem, just never got an email.

Not sure if email validation is part of what you're currently looking to test, but it took a while to figure out. Guess I've got a bad case of the Mondays. I didn't notice it until I tried to sign up again and the field was auto filled with the incorrect version. :)

Upon registration, my randomly generated 8-character password (letters of either case and digits) was rejected for not having 8 different character. Hmm, you're rejecting 38% of a class of passwords with 47 bits of entropy. I should crank it up to 16, I suppose.

Openid.SE doesn't automatically trust stackoverflow.com as a relying party. I suppose it will once it's in production.

If you try to recover a password with a non-existing email you get the message:

No account with that email was found

Which actually could be used by an attacker to determine whether a login exists or not, whereas upon logging in with an incorrect username and password combination, the error reads:

Unknown email or incorrect password

So, they are inconsistent in intent, and they should be fixed by adopting one of the two following options:

Option A: you want to keep the site as secure as possible. No information should be leaked by the recover password page, login should stay as-is

Option B: you want to be friendlier to the user. Keep the recover password as is, but change the login screen to specify which field (username or password) is the source of the error.

Very long emails produce unexpected results on registration

I've tried with a 15kb email name and it apparently kills the request at some point. The error returned is:

Captcha failed - The verification words are incorrect.

Whereas, my captcha was actually OK (I've tried three times).

15kb email names do fit in the textbox so either reduce the textbox max-length or make sure the system supports those email values.

Note: Login and password recovery work quite fast with the same long email.

^{Test case: averylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusernameaverylongusername@mailinator.com}

Tried to add on sourceforge.

I got : https://openid.stackexchange.com/account/login/submit a 404 when submitting the first time and now :

Cannot Complete Login

Detected an attempt to send an assertion when the identifier (http://openid.stackexchange.com/) is not owned by the logged in user.

If you believe you encountered this message in error, please report it.

I think it's because I didn't put my username in the address when I tried. Google does not requires to put a usename when used. Can we do the same? You put openid.stackexchange.com and it returns openid.stackexchange.com/mvyonline (being my vanity one BTW)

Edit

Argh... and if you forgot to put httpS your denied too... even if you are login on the HTTPS version of the site.

Edit

At the end sourceforge refused it ... Could not verify your OpenID. Please try again.

Using a vary standard email (my own gmail) it worked (almost) flawlessly:

I started with a very basic password which got the read sign on the right. It let me put the same password on the second box and submit, though. I then got the response that the password was not complex enough and then added a new one and resubmission was fine. I don't know if that's the intended behaviour or it should not even submit if the password is not complex enough. In any case, it's quite minor. Good job :)

Now testing foreign characters, it doesn't work that well:

email: ñóúíéá@úñíóéé.com.yyzz

Name: húúíóñßüáúbb áßúbíóó

Password: ASDFqwerty01

When I hit send confirmation email button, it stays for a while "waiting for openid.stackexchange.com...", until it fails "Captcha failed - The verification words are incorrect" (several iterations of the same, I may be bad typing, but not that bad :)

Browser Chromium 11.0.696.68 (Ubuntu 11.04)

Password reset works just fine (and I loved the joke, I was laughing alone at work)

Validation on the profile page is inconsistent.

Putting a very long name is OK on the client side and a validation error is reported on submit:

Name is too long.

Putting a very long vanity id is caught on the client side and a validation error is reported instantly in a different place on the page.

Cannot be more than 40 characters long.

I like that plussed eMail addresses are supported (the plus symbol is a valid part of the local-part, which comes before the @ symbol, according to the relevant RFCs).

This ID system seems to be working well. I did try to get set up with the other OpenID provider that you folks recommend, but there were some problems with the registration and then their administrators didn't answer the eMails I sent to them.

Thanks for providing this alternative which resolved my problem.

The signup dialog has an iframe border in IE8: