Comments on: Protecting Usernames on IS?

By: Inventing Time » Blog Archive » Pay me to add spellcheck

Inventing Time » Blog Archive » Pay me to add spellcheck — Wed, 21 Mar 2007 23:57:41 +0000

[...] for other improvements like logins, they’ll come eventually, I just haven’t been in a feature adding mode lately. So [...]

By: ReptilianSamurai

ReptilianSamurai — Sun, 21 Jan 2007 07:00:58 +0000

Perhaps ‘guest’ handles should be colored differently from registered handles? Then you wouldn’t need to worry about impersonations. (well, without registering anyway)

I remember in the days of CT! when one particular troll kept signing up names that looked like someone else’s handle, but used a letter or number that looked the same in the font (ie the number 1 in place of l), or changed the order of a sequence of numbers in the handle, etc.

By: UpSky2

UpSky2 — Sat, 20 Jan 2007 20:39:45 +0000

Darn good points. Short handles inclusive in long ones… hmmm.
Evolving a good rule/set would seem to require a Solomonic examination of possible cases. Roughly ‘any match of five or more characters in succession’ might be workable?? i.e. for all one-two-three-or-four-chrs-long handles, no exclusions would apply, then.
Existing duplications could be checked for and specially excepted.

[....Or maybe it's more work (and trouble) than it's worth.]

By: GersonK

GersonK — Fri, 19 Jan 2007 04:20:01 +0000

Well, maybe AI was an overstatement, but it’s not the application of the near-miss rule so much as the definition that I’m worried about. For instance, your examples included blocking out handles that contained UpSky2 or UpSky, how much of a registered handle needs to be hit to be a match? Would kit and Dangerkitty exclude each other? Would registering kif stop somebody else from registering SkiffPilot?

By: UpSky2

UpSky2 — Thu, 18 Jan 2007 17:18:02 +0000

( The sort of ‘near-miss’ detection I was thinking of, as to the lockout of nearly-the-same handles or ‘resemblance handles’, could be done with a PERL regular expression of a fairly simple type … or so I thought, but my PERL is rusty right now. )

By: GersonK

GersonK — Wed, 17 Jan 2007 00:42:41 +0000

wd et al - to clarify, unregistered handles will be usable without passwords. If you’ve got a registered handle, once you’ve logged in, cookies will keep you logged in for a reasonable time without re-entering your password and you’ll still be able to switch to an unregistered handle easily. Switching to another registered handle will probably require logging out first.

Up - you raised a lot of reasonable issues there. Short answer, this security system is essentially a fig leaf attached with a combo lock, not Fort Knox. The tech required to differentiate a legit near miss and what’s an invalid near miss usefully may well verge on artifical intelligence, or at the very least make the system more complex by an order of magnitude. Complexity makes bugs more likely, which in turn leads to security holes (yes, that’s a smug rationalization). Account holders in a slightly forgetful condition can recover their account via this page, account holders in a more forgetful state will have to go through the weak link in any secutiry system - a person, namely me.

By: UpSky2

UpSky2 — Tue, 16 Jan 2007 19:45:52 +0000

Block handle use without password, if is a registered handle.* No imcapperations!

But on the other wishy-washy hand, things are fine as they are, too.

*(leaving ‘DubyaBush’ or ‘GeorgeWaldoB-sh’ or ‘SaddamWhosane’ or etc. for those who may or must improvise a handle. Or leaving guest-newbies free to knead out a good handle with several tries, in unused territory.)

But on the *other* wishy-washy hand, regardless of password, wouldn’t it be nice to lock out creation/use of handles strongly resembling already established-registered-passworded ones ? except by those who have the password for the ‘main’ handle…. Examples: reserve not just UpSky2, but also UpSkyCpnBligh, F-dUpSky2, UpSky2theRooftops, etc. (But da_upstart would of course not be a near enough match, eh!)

(crusading tirade follows:) I myself have thought there is good reason to object to an ‘absolute’ security model that treats a near-miss like a complete-miss, since in practice everyone now and then gets a digit or two wrong… if our accounts locked us out every time we did that, on the first error, we’d see the error of such punctiliousness plain. And locking out someone who uses the random or ‘brute-force’ approach is reasonable, but distinguishing near-misses from far-misses would distinguish between a brute-forcer and an account holder in a slightly forgetful condition. Bla bla bla etc.

By: JoeCrow

JoeCrow — Tue, 16 Jan 2007 18:00:13 +0000

Emulation is the greatest of all Compliments
and it still pisses me the f@ck off
Protection is alwaya a good idea
unless you’re really drunk and really horny

By: ArchHallJr

ArchHallJr — Tue, 16 Jan 2007 17:18:50 +0000

A fine idea, I don’t care what JP says about you.

By: wd40

wd40 — Tue, 16 Jan 2007 13:17:12 +0000

I’m agin it! That hateful rascal from the last days of CT hasn’t shown up in IS and I have found an additional humor release in using a handle that matches the sentiment in the caption, yes, I *am* the multiple personality man that Miranda tried and tried to flame those several years ago. If I had to register DubyaBush every time I made an enviro-insensitive cap, or SaddamWhosane everytime I made an Iraqi war cap, I’d not be able to cap them at all. Long Live HamhandedPansy and everybody else at the masquerade! Thank you, thank you and a special thanks to GersonK for the IS site.