You're seriously suggesting that every random site on the Internet should take email addresses and passwords, with all the increased attack surface that implies, instead of delegating to authentication providers who know what the hell they're doing and are not going to serve up everyone's credentials and private data to the first halfway serious attacker to happen along. And you're asking me if I'm joking?
The attack surface is only increased for those individuals who reuse passwords. Risk is actually reduced for those who use unique usernames and passwords. GP said nothing about requiring email addresses and provided several other alternatives that require nothing of the user at all.
Additionally, the reason you gave as to why the site might require it provides no real value to the user. There is no incentive to link yet-another-website to an authentication provider, except to access the site; which seems completely unnecessary.
Finally, I object to categorizing Google, Reddit, et al., as "authentication providers." While that may be a service they perform, they are actually, instead, just tracking you. If you'll forgive the clumsy metaphor of a caffeine-deprived mind, it would be a bit like calling police serving a search warrant "furniture reorganizers."
Accepting user registrations generally entails obtaining a means of contact which can be used to unlock an account whose password has been forgotten. By far the most common contact method used is email. GP may not have mentioned it in so many words, but the implication is trivial. Requiring unique registration on a site also demonstrably results in significantly fewer people actually making use of the site. It's perceived as a burden, and people not unreasonably wonder why they have to providing sensitive information in order to find out whether there's anything there worth providing sensitive information. As ever, whether or not you think this should be true doesn't affect whether or not it is.
Too, leaving aside the question of whether it's a security risk for the user, maintaining a password database is certainly a security risk for the developer. Having your password database stolen is a credibility disaster. Similar exposure of a collection of OAuth tokens, none of which provides any access whatsoever to privileged data and all of which can be trivially deauthorized by their owners or en masse by the application developer, is about as minor a concern as any security compromise possibly can be. From the developer's perspective, that's an extremely strong argument for three-legged OAuth.
Addressing the other alternatives in detail: Using session cookies alone is great, except that they will eventually expire or be deleted, at which point all progress is lost. That's not a major problem, I suppose, but I can see people potentially being annoyed by it, especially shell cowboys who solve everything with one-liners. I'm not sure what "The site could generate a registration for the user" even means. And I think there's a fair argument to be made that authentication via OAuth with a third party hits a sweet spot between user convenience on the one hand, and persistence and distinguishability of identity on the other.
Finally, I'm really not sure why "they're tracking you!" is such a concern in this case. Yes, third-party tracking is an increasingly ubiquitous reality of life on the modern web, and yes, in many ways that is a very bad thing. On the other hand, there is such a thing as nuance, and I think it's a pretty long stretch to argue that it is likely to result in a major privacy violation to let on to Github, or for that matter Facebook or Twitter if I had accounts with them, that I'm a programmer. I suppose it's possible there are people who need to keep that a secret for some reason, although I can't imagine what reason that might be. For them, it's probably not worth it to use Advent of Code, even with a throwaway account. For me and apparently quite a lot of other people, it is. I'm having a very hard time seeing the prima facie unreasonability of that perspective that it seems like some folks do.
You seem to be going back and forth between the general case and this specific case. When I'm talking about the specific case, you start arguing in generalities, and when I'm talking about the general case, you switch to talking about the specifics.
> Accepting user registrations generally entails obtaining a means of contact which can be used to unlock an account whose password has been forgotten. By far the most common contact method used is email. GP may not have mentioned it in so many words, but the implication is trivial.
In this specific case, using your guessed-at reason for the need for registration, the implication that an email address is required isn't trivial. It simply isn't necessary at all. If it had been required, I also would have forgone registering. They have no need to contact me that I consider valid.
> Requiring unique registration on a site also demonstrably results in significantly fewer people actually making use of the site. It's perceived as a burden, and people not unreasonably wonder why they have to providing sensitive information in order to find out whether there's anything there worth providing sensitive information.
Yet linking it to their social media or other accounts is not perceived as a burden? It is demonstrably percieved as a burden as evidence by both the other poster and myself. You also seem to be suggesting that linking a social media or other account is providing less sensitive information than creating a unique login. That may be the case at times, but I suspect, and I'd be surprised if you disagree, that usually you are providing more information by linking an external account versus a unique login.
> And I think there's a fair argument to be made that authentication via OAuth with a third party hits a sweet spot between user convenience on the one hand, and persistence and distinguishability of identity on the other.
I think there is too, in general, but not in this specific case if the only need is to have a unique identifier.
> Finally, I'm really not sure why "they're tracking you!" is such a concern in this case.
I'm not sure why you've gone from speaking very generally about the issue to getting very specific about the site in this case. I objected, very clearly, to identifying them as "authentication providers" in general. I never said anything about whether it was a huge privacy violation that they know you visited this particular site.
I think the suggestion was that this site doesn't really need to identify its users. It's a quiz site. If you want to make custom inputs for each user, drop a cookie with a big random number and stop fretting about the cases where that fails.
