From: Andrew Black - lists Date: 21:07 on 05 Jun 2007 Subject: Creating an account on a website - going round in circles..... How many times have I gone to a form Username : AndrewB Password: xxxxx Password again: xxxxx email: Graphic to check you are really human : Submit Sorry AndrewB is taken Change to AndrewBlack Sorry you must give a password (been cleared down) Type password twice Sorry AndrewBlack is taken Change to AndrewDBlack Add password - remembered to put it this time Sorry must put in the letters from the graphic Do that but forgot to put password this time Put password in but don't notice the graphic has changed. Sorry AndrewDBlack is taken (by me a minute ago but I got confused and didn't realise I had succeeded .... Why can't it check your username is sensible before all the other things. I guess with Ajax you can
From: Jonathan Stowe Date: 21:33 on 05 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Tue, 2007-06-05 at 21:07 +0100, Andrew Black - lists wrote: > How many times have I gone to a form > .... > > Why can't it check your username is sensible before all the other > things. I guess with Ajax you can Yes this is annoying, especially where you have a big stupidly designed form that loses bits of the information you put in. However providing an API for AJAX to check, say, a username like this could assist some blackhat in an attempt to bruteforce accounts on the service... /J\
From: Juerd Waalboer Date: 21:37 on 05 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Jonathan Stowe skribis 2007-06-05 21:33 (+0100): > > Why can't it check your username is sensible before all the other > > things. I guess with Ajax you can > Yes this is annoying, especially where you have a big stupidly designed > form that loses bits of the information you put in. However providing an > API for AJAX to check, say, a username like this could assist some > blackhat in an attempt to bruteforce accounts on the service... Just put the captcha at the beginning instead of the end.
From: Robert Rothenberg Date: 09:48 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On 05/06/07 21:37 Juerd Waalboer wrote: > Jonathan Stowe skribis 2007-06-05 21:33 (+0100): > [...] >> Yes this is annoying, especially where you have a big stupidly designed >> form that loses bits of the information you put in. However providing an >> API for AJAX to check, say, a username like this could assist some >> blackhat in an attempt to bruteforce accounts on the service... > > Just put the captcha at the beginning instead of the end. No. A human can do the captcha part and then hand control over to a script.
From: Juerd Waalboer Date: 10:15 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Robert Rothenberg skribis 2007-06-06 9:48 (+0100): > > Just put the captcha at the beginning instead of the end. > No. A human can do the captcha part and then hand control over to a script. Change the captcha for each failed attempt, or every n failed attempts.
From: Jonathan Stowe Date: 10:33 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Wed, 2007-06-06 at 11:15 +0200, Juerd Waalboer wrote: > Robert Rothenberg skribis 2007-06-06 9:48 (+0100): > > > Just put the captcha at the beginning instead of the end. > > No. A human can do the captcha part and then hand control over to a script. > > Change the captcha for each failed attempt, or every n failed attempts. And hence back to the original hate ... /J\
From: Juerd Waalboer Date: 10:45 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Jonathan Stowe skribis 2007-06-06 10:33 (+0100): > On Wed, 2007-06-06 at 11:15 +0200, Juerd Waalboer wrote: > > Robert Rothenberg skribis 2007-06-06 9:48 (+0100): > > > > Just put the captcha at the beginning instead of the end. > > > No. A human can do the captcha part and then hand control over to a script. > > Change the captcha for each failed attempt, or every n failed attempts. > And hence back to the original hate ... Only if you exaggerate the effort of typing in a captcha.
From: David Cantrell Date: 15:35 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Wed, Jun 06, 2007 at 10:33:33AM +0100, Jonathan Stowe wrote: > On Wed, 2007-06-06 at 11:15 +0200, Juerd Waalboer wrote: > > Change the captcha for each failed attempt, or every n failed attempts. > And hence back to the original hate ... Captchas are hateful anyway. I get them wrong at least half the time.
From: A. Pagaltzis Date: 11:22 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... * Juerd Waalboer <juerd@xxxxxxxxxxx.xx> [2007-06-05 22:45]: > > providing an API for AJAX to check, say, a username like this > > could assist some blackhat in an attempt to bruteforce > > accounts on the service... > > Just put the captcha at the beginning instead of the end. As well as the choice of username. Then collect the password and anything else such as email etc in an extra step. Make sure not to create the account until that extra step is completed; just mark the username as reserved for a few minutes. The first step is only for picking an available username and confirming that you're not a machine. Regards,
From: Timothy Knox Date: 23:00 on 05 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Somewhere on Shadow Earth, at Tue, Jun 05, 2007 at 09:07:44PM +0100, Andrew Black - lists wrote: > How many times have I gone to a form > > Username : AndrewB > Password: xxxxx > Password again: xxxxx > email: > Graphic to check you are really human : > > Submit > Sorry AndrewB is taken And for that matter, why do I want to have a "username"? Why can't I just use my email address, and if the website needs something it can display to others, let me enter my name. If there is more than one Timothy Knox already on the system, display my name as "Timothy Knox (3)" or whatever. For every website that has a registration, I have to remember which contortion of my usual username wasn't already taken by some previous user of the system. GAAAAH!
From: Peter da Silva Date: 01:30 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... > And for that matter, why do I want to have a "username"? Why can't I > just use my > email address, What happens when you want to change it? > I have to remember which contortion of my usual username wasn't > already taken by some previous user of the system. GAAAAH! As opposed to remembering which email address you used? Picking a username is hateful, an account tied to an email address is hateful. Our community here is perhaps uniquely blessed by this situation where there is juicy hate available no matter which choice is made. Myself, I think the idea that one should have to have an "account" on most websites is itself hateful.
From: Juerd Waalboer Date: 01:37 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Peter da Silva skribis 2007-06-05 19:30 (-0500): > > And for that matter, why do I want to have a "username"? Why can't I > > just use my email address, > What happens when you want to change it? Then you probably need to reconfirm. Do you foresee any problems? > As opposed to remembering which email address you used? I use site-example.com@xxxxx.xx, where example.com is the domain of the login page. Works very well, and lets me delete individual addresses easily. > an account tied to an email address is hateful. Why?
From: Peter da Silva Date: 04:39 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Jun 5, 2007, at 7:37 PM, Juerd Waalboer wrote: > Peter da Silva skribis 2007-06-05 19:30 (-0500): >>> And for that matter, why do I want to have a "username"? Why can't I >>> just use my email address, >> What happens when you want to change it? > Then you probably need to reconfirm. > Do you foresee any problems? Losing access to whatever resources are associated with the previous email address? For many sites that's not an issue, but for others it is. >> As opposed to remembering which email address you used? > I use site-example.com@xxxxx.xx, where example.com is the domain of the > login page. Works very well, and lets me delete individual addresses > easily. I have mixed feelings about that design. I use it a lot, but it seems to multiply my spam since I get copies to many variants. I know where the spam came from, yay... that doesn't console me all that much. That approach is also only useful for people like us. Most people don't have that option, so they have to live with the spam. >> an account tied to an email address is hateful. > Why? You change your email address, you lose all the accounts tied to it, sooner or later.
From: Andrew Black - lists Date: 05:37 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Peter da Silva wrote: >> I have to remember which contortion of my usual username wasn't >> already taken by some previous user of the system. GAAAAH! > > As opposed to remembering which email address you used? At least that is under you control (largely). I try to use one of two different email addresses for registering (one for work, one for other but there is a grey area of techy sites I use for both...). I am not forced to choose a different id by some other guy being the first "andrew" "andrewb" "adb" "redmonkey" "android" or whatever. There is a minor problem if people share an address (eg sharonandwayne@xxxxxxx.xxx) but I assume that doesn't affect people on this list :-). That is another hate, but it is hate of what software allows you to do, not software itself. >>> What happens when you want to change it? > >> Then you probably need to reconfirm. > >> Do you foresee any problems? If you know the existing email address + password, you - log on - change email address - system sends you a confirm to new address - reply to or contact http://somesite/abasdfasdfasdfasdfasdfaasdfas OK - this is a security loophole - someone can change address knowing only your email+ password. If you have access to the existing email address and forget password then the systems sends you a change password message to the existing. The problem comes if you forget the password and can't access the old address (eg changed job).
From: Matt McLeod Date: 05:49 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Andrew Black - lists wrote: > The problem comes if you forget the password and can't access the old > address (eg changed job). Or if the bozo who designed the thing decided to use the username/email-address as the key for all the tables. Chances are they won't *let* you change the address. This is less troublesome for those who have their own vanity domains, but for people like my parents who just use whatever mailbox their ISP provides, and who then skip from one ISP to another as prices and service offerings change... Matt (pre-hating in anticipation of a domain change...)
From: Chris Devers Date: 15:14 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Jun 5, 2007, at 11:39 PM, Peter da Silva wrote: > You change your email address, you lose all the accounts tied to > it, sooner or later. ..hence the appeal of a pobox.com account, which just forwards on to whatever account you feel like using that week, and the people sending you mail -- friends, family, collegagues, companies, and yes spammers -- don't have to come across that problem, as the address never changes from their point of view. On the flip side, it also seems to mean you're a nice stable target for spammers, but SpamAssassin can at least keep that down to a dull roar most of the time....
From: Peter da Silva Date: 16:53 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Jun 6, 2007, at 9:14 AM, Chris Devers wrote: > On Jun 5, 2007, at 11:39 PM, Peter da Silva wrote: >> You change your email address, you lose all the accounts tied to it, >> sooner or later. > ..hence the appeal of a pobox.com account, which just forwards on to > whatever account you feel Yah, and I've had taronga.com since the early '90s. But I tend to use throwaway gmail addresses for registration these days.
From: Abigail Date: 17:01 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... --DEueqSqTbz/jWVG1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 06, 2007 at 10:53:12AM -0500, Peter da Silva wrote: > On Jun 6, 2007, at 9:14 AM, Chris Devers wrote: > >On Jun 5, 2007, at 11:39 PM, Peter da Silva wrote: > >>You change your email address, you lose all the accounts tied to it,=20 > >>sooner or later. >=20 > >..hence the appeal of a pobox.com account, which just forwards on to=20 > >whatever account you feel >=20 > Yah, and I've had taronga.com since the early '90s. >=20 > But I tend to use throwaway gmail addresses for registration these days. http://www.mailinator.com/ Abigail --DEueqSqTbz/jWVG1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFGZtp2BOh7Ggo6rasRAl0WAJoCn28mG+N+Oc2wExCS1ZfnMEATFACfebEf 5tfaLFCDpOaEWoUTusFZeXQ= =z6ez -----END PGP SIGNATURE----- --DEueqSqTbz/jWVG1--
From: Peter da Silva Date: 17:28 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... > http://www.mailinator.com/ That's a bit TOO throwaway for my liking. o_O
From: Robert Rothenberg Date: 10:26 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On 06/06/07 01:30 Peter da Silva wrote: > Myself, I think the idea that one should have to have an "account" on > most websites is itself hateful. I wouldn't say "most" websites. (I'm often surprised at how many websites will still let me submit anonymous comments.) If you want to have a website with some kind of discussion board, you need some kind of authentication. You can farm that out to a central system (such as Microsoft Passport) or you can let everybody manage their own. The former has a lot of hateful aspects: cost of entry is one, doing it in a secure manner is another. You can let your web browser remember passwords for you, but remembering values for forms has a lot of other hate: the last time I checked, Firefox did a crap job of encrypting master passwords; and remembering form values over https also allows it to remember credit card numbers.
From: A. Pagaltzis Date: 11:12 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... * Robert Rothenberg <robrwo@xxxxx.xxx> [2007-06-06 11:30]: > I wouldn't say "most" websites. (I'm often surprised at how > many websites will still let me submit anonymous comments.) Not surprising at all. Unless you have the gravity of a social networking site or a large forum, requiring account creation is a sure way to drive people away. They won't register on weblogs and the other asteroids floating through the web. If you want comments from anyone else than the relatives you'd prefer weren't reading you, you generally need to allow anonymous comments. > If you want to have a website with some kind of discussion > board, you need some kind of authentication. You can farm that > out to a central system (such as Microsoft Passport) or you can > let everybody manage their own. Or you can farm out to a decentralised system like OpenID. Regards,
From: Peter da Silva Date: 13:19 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... > If you want to have a website with some kind of discussion board, you > need > some kind of authentication. That turns out not to be the case, even for discussion boards, but what about websites that require an account before you can download free software or view documentation? No, there's plenty of juicy and unnecessary hate there...
From: Abigail Date: 14:01 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... --xesSdrSSBC0PokLI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 06, 2007 at 10:26:05AM +0100, Robert Rothenberg wrote: >=20 > If you want to have a website with some kind of discussion board, you need > some kind of authentication. You mean, just like that big old discussion system called Usenet? Oh, wait... Abigail --xesSdrSSBC0PokLI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFGZrAaBOh7Ggo6rasRAg62AJ4oi0qzAGOarfehbDF5JmZGW9yPFwCdGpyC Ms1ypmKPKPp4X/l61pyUYd8= =e/qo -----END PGP SIGNATURE----- --xesSdrSSBC0PokLI--
From: Timothy Knox Date: 19:15 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Somewhere on Shadow Earth, at Wed, Jun 06, 2007 at 10:26:05AM +0100, Robert Rothenberg wrote: <snip> > You can let your web browser remember passwords for you, but remembering > values for forms has a lot of other hate: the last time I checked, Firefox > did a crap job of encrypting master passwords; and remembering form values > over https also allows it to remember credit card numbers. That is only helpful if you only ever surf the web with *one* computer, using only one browser. I surf from any of about six different computers, depending on where I am and what I am doing, and using about nine distinct browsers. I admit that I am atypical in that regard, but this is one of the chief reasons I find website accounts hateful.
From: A. Pagaltzis Date: 05:54 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... * Timothy Knox <tdk@xxxxxxxx.xxx> [2007-06-06 00:05]: > Why can't I just use my email address, and if the website needs > something it can display to others, let me enter my name. This is me, failing to hate OpenID. Regards,
From: Adam Atlas Date: 01:04 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On 5 Jun 2007, at 16.07, Andrew Black - lists wrote: > How many times have I gone to a form > > ... > > Why can't it check your username is sensible before all the other > things. I guess with Ajax you can Indeed, indeed. It's not just checking the username, for that matter. It's any sort of validation that can go on, and nearly every form uses some sort or another, not just registration forms. Checking for allowed characters, checking whether a phone number is properly formatted, checking whether the enter-your-password-twice fields match... I've been writing a form-building library for web apps written in Python. It has built-in Ajaxy stuff for that kind of validation. For any input (or multiple), you can supply validators, and it generates the JavaScript to perform the validation asynchronously and without requiring any reloads. Validators are normally written in Python and executed server-side, in which case my library calls it with Ajax, but they can also provide JavaScript versions of themselves, if it's something that doesn't require server-side data. I'm sure there'll still be some things to hate in there, but at least it's progress!
From: Roger Burton West Date: 09:21 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Tue, Jun 05, 2007 at 08:04:54PM -0400, Adam Atlas wrote: >Checking for allowed characters, checking >whether a phone number is properly formatted, No, you are NOT getting my phone number. The more inventive I have to be to put in a phone number that your validator will accept, the less likely I am to bother to do business with you at all. (That's you-generic, of course, not Adam.) R
From: David Cantrell Date: 15:27 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On Wed, Jun 06, 2007 at 09:21:16AM +0100, Roger Burton West wrote: > No, you are NOT getting my phone number. The more inventive I have to be > to put in a phone number that your validator will accept, the less > likely I am to bother to do business with you at all. Take your valid number, transpose two random digits. If you want to check whether the resulting number really is valid, then: http://www.cantrell.org.uk/david/phoneinfo/ but I very much doubt that anyone other than a telco is going to bother checking in that much detail.
From: Andy Armstrong Date: 15:33 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... On 6 Jun 2007, at 15:27, David Cantrell wrote: > Take your valid number, transpose two random digits. If you want to > check whether the resulting number really is valid, then: > http://www.cantrell.org.uk/david/phoneinfo/ Oooh. Oooh. Does that have an API I can call? :)
From: Juerd Waalboer Date: 16:34 on 06 Jun 2007 Subject: Re: Creating an account on a website - going round in circles..... Andy Armstrong skribis 2007-06-06 15:33 (+0100): > > http://www.cantrell.org.uk/david/phoneinfo/ > Oooh. Oooh. Does that have an API I can call? :) http://tnx.nl/WWW::Mechanize :)
Generated at 10:28 on 16 Apr 2008 by mariachi