Protecting Usernames on IS?
I’m thinking of finally letting people protect their handles on Inventing Situations, but would like to get some feedback and give some warning before I throw the switch. It would probably work thusly: if you’ve registered a handle at sector7g-zz9 then you’d have to be logged on to use that handle on IS (even if you only registered it for use on Wasting Precious Time or the movie catalog). The submit caption form would include a password field so you could log on and submit a caption in a single swoop. But if you haven’t registered, then you’d be able to just leave the password blank and keep capping as always. In the past I’ve waffled and given reasons not to do this, but I’m starting to think it’s finally time to go ahead with it.
To my mind, here are the major pros and cons of my proposed system.
Pros:
- Allows people to protect themselves against password theft (which I still think is a very rare occurrence).
- If done properly, should be low impact. Little to no effect on those who choose not to use it, and just an occasional password entry for those who do use it.
- Will allow for addition of things like capperwiki profile links on people’s captions.
Cons:
- Security on the site is still sort of weak: only as secure as your email account, no https, and so forth and so on.
- System requires separate registrations to protect alternate and holiday handles. (It would still be relatively easy to flip between handles, though.)
- Some people registered for WPT or the catalog, but don’t want to have enter their password to cap. Or they forgot their password and lost access to the email account they signed up on, requiring manual intervention to get their username back.
If this happens, it won’t be for another month or so, but since this is a major change, I thought I’d get feedback to see if I need to do things differently or not at all. Thoughts?
January 15th, 2007 at 10:53 pm
Gerson,
I think handle registration is a good idea. While I haven’t encountered a problem with my handle being usurped here (not that it’s worth stealing), I’m kind of attached to it. I don’t mind having to enter a password to caption.
Dave
January 15th, 2007 at 11:36 pm
I don’t think anybody would want my handle since they don’t know what it means to begin with; but if they want it bad enough to steal it, “hendle” my handle with care. I’d just pick a new-y, as I pick my nose.
I dearly HATE using passwords for everything under the sun, don’t you?
January 16th, 2007 at 12:28 am
I’m kind of shocked by the notion that anybody would want to impersonate a capper,but I’ve gotten one or two reports from the field, which suggests that there’s even more incidents not going reported. If you suspect you’ve been impersonated here, please let me know.
Just to clarify, you’d only have to enter your password at most every few hours, if you use the “remember me” checkbox, every few days, and if you don’t register (which I realize you two might have done for WPT), not at all.
Since registration serves multiple purposes here, I may consider a “don’t ask for my password on IS” switch for those who have already registered, effectively saying “I sacrifice handle protection for convenience”, but that seems like a confusing and complicated addition.
January 16th, 2007 at 7:51 am
I think it is a good idea providing it involves minimal hassle and is mostly invisible (using cookies to keep you permanently logged in, for instance). As long as guests can still post without registering, then IS will still be accessible to newcomers that would otherwise be apprehensive of signing up on yet another website.
I especially like the idea of linking to the wiki profiles through protected handles, that would be neat.
January 16th, 2007 at 7:56 am
I think it’s a good idea. I.D. theft isn’t MUCH of a problem, but I would hate to think of someone using someone’s handle while saying bad things about another capper. It would be a hard thing to straighten out, and the “injured” party would probably never be sure….
Signing in with a password is really no more difficult than simply signing in, so I say, “Go for it!”
-Dave
January 16th, 2007 at 9:17 am
I’m agin it! That hateful rascal from the last days of CT hasn’t shown up in IS and I have found an additional humor release in using a handle that matches the sentiment in the caption, yes, I *am* the multiple personality man that Miranda tried and tried to flame those several years ago. If I had to register DubyaBush every time I made an enviro-insensitive cap, or SaddamWhosane everytime I made an Iraqi war cap, I’d not be able to cap them at all. Long Live HamhandedPansy and everybody else at the masquerade! Thank you, thank you and a special thanks to GersonK for the IS site.
January 16th, 2007 at 1:18 pm
A fine idea, I don’t care what JP says about you.
January 16th, 2007 at 2:00 pm
Emulation is the greatest of all Compliments
and it still pisses me the f@ck off
Protection is alwaya a good idea
unless you’re really drunk and really horny
January 16th, 2007 at 3:45 pm
Block handle use without password, if is a registered handle.* No imcapperations!
But on the other wishy-washy hand, things are fine as they are, too.
*(leaving ‘DubyaBush’ or ‘GeorgeWaldoB-sh’ or ‘SaddamWhosane’ or etc. for those who may or must improvise a handle. Or leaving guest-newbies free to knead out a good handle with several tries, in unused territory.)
But on the *other* wishy-washy hand, regardless of password, wouldn’t it be nice to lock out creation/use of handles strongly resembling already established-registered-passworded ones ? except by those who have the password for the ‘main’ handle…. Examples: reserve not just UpSky2, but also UpSkyCpnBligh, F-dUpSky2, UpSky2theRooftops, etc. (But da_upstart would of course not be a near enough match, eh!)
(crusading tirade follows:) I myself have thought there is good reason to object to an ‘absolute’ security model that treats a near-miss like a complete-miss, since in practice everyone now and then gets a digit or two wrong… if our accounts locked us out every time we did that, on the first error, we’d see the error of such punctiliousness plain. And locking out someone who uses the random or ‘brute-force’ approach is reasonable, but distinguishing near-misses from far-misses would distinguish between a brute-forcer and an account holder in a slightly forgetful condition. Bla bla bla etc.
January 16th, 2007 at 8:42 pm
wd et al - to clarify, unregistered handles will be usable without passwords. If you’ve got a registered handle, once you’ve logged in, cookies will keep you logged in for a reasonable time without re-entering your password and you’ll still be able to switch to an unregistered handle easily. Switching to another registered handle will probably require logging out first.
Up - you raised a lot of reasonable issues there. Short answer, this security system is essentially a fig leaf attached with a combo lock, not Fort Knox. The tech required to differentiate a legit near miss and what’s an invalid near miss usefully may well verge on artifical intelligence, or at the very least make the system more complex by an order of magnitude. Complexity makes bugs more likely, which in turn leads to security holes (yes, that’s a smug rationalization). Account holders in a slightly forgetful condition can recover their account via this page, account holders in a more forgetful state will have to go through the weak link in any secutiry system - a person, namely me.
January 18th, 2007 at 1:18 pm
( The sort of ‘near-miss’ detection I was thinking of, as to the lockout of nearly-the-same handles or ‘resemblance handles’, could be done with a PERL regular expression of a fairly simple type … or so I thought, but my PERL is rusty right now. )
January 19th, 2007 at 12:20 am
Well, maybe AI was an overstatement, but it’s not the application of the near-miss rule so much as the definition that I’m worried about. For instance, your examples included blocking out handles that contained UpSky2 or UpSky, how much of a registered handle needs to be hit to be a match? Would kit and Dangerkitty exclude each other? Would registering kif stop somebody else from registering SkiffPilot?
January 20th, 2007 at 4:39 pm
Darn good points. Short handles inclusive in long ones… hmmm.
Evolving a good rule/set would seem to require a Solomonic examination of possible cases. Roughly ‘any match of five or more characters in succession’ might be workable?? i.e. for all one-two-three-or-four-chrs-long handles, no exclusions would apply, then.
Existing duplications could be checked for and specially excepted.
[....Or maybe it's more work (and trouble) than it's worth.]
January 21st, 2007 at 3:00 am
Perhaps ‘guest’ handles should be colored differently from registered handles? Then you wouldn’t need to worry about impersonations. (well, without registering anyway)
I remember in the days of CT! when one particular troll kept signing up names that looked like someone else’s handle, but used a letter or number that looked the same in the font (ie the number 1 in place of l), or changed the order of a sequence of numbers in the handle, etc.
March 21st, 2007 at 7:57 pm
[...] for other improvements like logins, they’ll come eventually, I just haven’t been in a feature adding mode lately. So [...]