From: Earle Martin Date: 14:14 on 22 Mar 2005 Subject: Sites requiring registration to post a comment No, I don't want to register a FREE ACCOUNT! on your website just to post a fucking comment. Yes, Flickr, I'm looking at you.
From: peter (Peter da Silva) Date: 14:24 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment > No, I don't want to register a FREE ACCOUNT! on your website just to post a > fucking comment. Yes, Flickr, I'm looking at you. Website registration... arse. And then there's the various "you forgot your password" schemes. Let's start with the sane one: [Click here] if you forgot your password. ... Enter your account name: [ ] ... We'll send a password reset link to your registered mail address. OK, if I'm me, I can read my email, this is plenty secure enough for a web board. [Click here] if you forgot your password. ... Enter your account name: [ ] ... Enter the word you see in the picture below... Huh? I'm gonna spam through a password reset script? WTF? Well, still, it's an easy hoop. [Click here] if you forgot your password. ... Enter your account name: [ ] ... Your question was... WHAT IS YOUR FAVORITE COLOR? [ ] Arse. What did I say for this one? Let's check my email... huh, they didn't send the answer in the link. Of course. OK, let's see... "bluenogreen". We'll send a password reset link to your registered mail address. OK. Fine. Thanks. But IT'S ONLY A WEB BOARD. MAILTO is plenty secure enough. [Click here] if you forgot your password. ... Enter your account name: [ ] Enter your email address: [ ] Arse! I don't remember what tagged address I used for this board... and how does this improve security anyway? And it's STILL JUST A FUCKING WEB BOARD! [Click here] to register...
From: Anton Berezin Date: 14:46 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment On Tue, Mar 22, 2005 at 08:24:37AM -0600, Peter da Silva wrote: > Website registration... arse. And then there's the various "you forgot > your password" schemes. Ha! Then there's that: [Click here] if you forgot your password. ... Enter your account name: [ ] Hmmm. Tough, I don't remember, it did not allow my usual ones (too short, already exist, you name it), so it was something funny. Ok, I'll register one more time: Enter desired account name: [ ] Enter your E-mail address: [ ] ... An account with this E-mail address already exist! Yes, stupid, it's mine account, but what is it?? \Anton.
From: Chris Devers Date: 15:03 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment On Tue, 22 Mar 2005, Anton Berezin wrote: > Yes, stupid, it's mine account, but what is it?? My "favorite" is my login for the Apple Developer's site, where the password has credible minimum complexity requirements (it must have letters, numbers, and mixed case; it can't be based on a dictionary word; etc) and you have to change the thing every few months. For a login account, these rules are reasonable, but for a web site? Come on... So because I usually only log in a couple of times a year, I end up having to change my password more or less every time I use the site, and inevitably I can't remember it from one login to the next. A couple of years ago, I found what seemed to be a bug in OSX, so I tried to log in to report it. But I'd forgotten my login. Again. So I tried a few variants before being locked out, then just got frustrated and made a whole new account to report the bug. Within a day or two, I got a phone call -- an actual phone call! -- from an Apple engineer asking what the problem was logging in to the site. He showed no interest in the bug report, only the login issues. He never actually *fixed* the login issues, he just wanted to ask about them. Now, whenever I try to log in, habit makes me use the old login, because that's the one I use on lots of other sites, but as usual I can't remember my password so I have to go through the old "try this one, try this one... got it" routine... ...but then I realize that I've just "successfully" logged in to my old account, and I get sent back to the log in screen with a nasty scolding: THIS ACCOUNT HAS BEEN DISABLED DUE TO SECURITY REASONS. Arse. So then I try the other login and it works, but at this point I'm so frustrated that I go do something else. Like rant on a mailing list :-/
From: Phil!Gregory Date: 19:33 on 24 Mar 2005 Subject: Re: Sites requiring registration to post a comment * Chris Devers <cdevers@xxxxx.xxx> [2005-03-22 10:03 -0500]: > My "favorite" is my login for the Apple Developer's site, where the > password has credible minimum complexity requirements (it must have > letters, numbers, and mixed case; it can't be based on a dictionary > word; etc) and you have to change the thing every few months. A while back I tried to create a web account for Verizon. They set some complexity minimums--at least six characters, at least one digit--so, given that, and because it was for my phone account and involves at least semi-access to financial information, I tried to put a decent password in. It failed. Apparently, they have complexity *maximums*, too; only alphanumeric characters are allowed. Hate. As a separate hate, they also didn't like my putting a plus sign in my email address. But that's an already well-established hate.
From: Luke Kanies Date: 19:39 on 24 Mar 2005 Subject: Re: Sites requiring registration to post a comment On Thu, 2005-03-24 at 14:33 -0500, Phil!Gregory wrote: > A while back I tried to create a web account for Verizon. They set some > complexity minimums--at least six characters, at least one digit--so, > given that, and because it was for my phone account and involves at least > semi-access to financial information, I tried to put a decent password > in. It failed. Apparently, they have complexity *maximums*, too; only > alphanumeric characters are allowed. Hate. > > As a separate hate, they also didn't like my putting a plus sign in my > email address. But that's an already well-established hate. I regularly use a password with a profanity in it, and I actually once had a site refuse to let me use this password. They actually went to the trouble to check that my _password_, which would (theoretically) never even be available in a readable format, for profanity. Astounding. I spent a solid couple of minutes trying to imagine the mindset of the programmer who built that functionality. I failed miserably.
From: Phil Pennock Date: 17:10 on 25 Mar 2005 Subject: Re: Sites requiring registration to post a comment On 2005-03-24 at 14:33 -0500, Phil!Gregory wrote: > A while back I tried to create a web account for Verizon. They set some > complexity minimums--at least six characters, at least one digit--so, > given that, and because it was for my phone account and involves at least > semi-access to financial information, I tried to put a decent password > in. It failed. Apparently, they have complexity *maximums*, too; only > alphanumeric characters are allowed. Hate. I'm in the process of setting up a Vodafone NL account. The only thing keeping me from snarling in frustration and hate is knowing that it's not the worst, since people have posted worse site crap here. But still, AAARRGGHHH!!! What kind of complete arse-hat codes a Security Question with a limited selection of questions, including "In welke stad ben je geboren?" ("In which town were you born?") but rejects the answer for not meeting complexity requirements?? And how the frigging hell does this get through corporate sanity-checking, since it's the first introduction new customers have? Surely there's _someone_ double-checking this stuff first? But no, apparently it is Wrong to be born in a town with only four letters in the name. According to Vodafone, everyone must be born in a town with between 5 and 32 characters, consisting of letters and numbers! I can see it now, Vodafone's boss saying, "I'm sorry Mr Livingstone, but you're going to have to rename your city. Henceforth, please call it L0nd0n. Look, we're reasonable people, here's a bunch of cash to help pay for the tube." Oh, and no it's not just a generic template routine for checking security fields, since the red text explaining why I'm so stupid with my security answers is explicitly mentioning the security question. Someone deliberately set it up like this. Shooting the idiot programmer could only be good for the gene pool. "Het antwoord op de unieke vraag moet tusen de 5 en 32 tekens zijn en uitsluitend letters en cijfers bevatten"
From: Phil Pennock Date: 21:07 on 25 Mar 2005 Subject: Re: Sites requiring registration to post a comment On 2005-03-25 at 18:10 +0100, Phil Pennock wrote: > "Het antwoord op de unieke vraag moet tusen de 5 en 32 tekens zijn en > uitsluitend letters en cijfers bevatten" Must learn to not rant when coming down with a temperature. I'll figure out how that translates when I recover. I've a sneaking suspicion that it's "only letters and numbers", so "London" is okay. Living in a town named with a hyphen, I have to wonder what would happen if born here. But still, no towns shorter than 5 letters?
From: Michael G Schwern Date: 18:59 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment On Tue, Mar 22, 2005 at 08:24:37AM -0600, Peter da Silva wrote: > [Click here] if you forgot your password. > > ... > > Enter your account name: [ ] > > ... > > Your question was... WHAT IS YOUR FAVORITE COLOR? [ ] > > Arse. What did I say for this one? Let's check my email... huh, they didn't > send the answer in the link. Of course. OK, let's see... "bluenogreen". I've got one better. Calling up Telerama (Pittsburgh ISP) to cancel my account as I had moved. I give them my username and account number. The fellow on the other end asks for my password, I don't know it. I've never needed it. That's fine, what did I answer for the security question? Well, what's the security question? He can't access that information. ! He knows my answer but not what question I picked. Had I been quicker on my feet I'd have said "42" but I was too busy sputtering in amazement. Am I the first person to use this procedure? What the hell? So we walk through each of the possible questions and I give him what my answer would have been, or if I'd have picked that one at all. Turns out none of them are right and we just wind up cobbling together my authentication through random bits of personal info.
From: Chris Nandor Date: 19:21 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment At 14:14 +0000 2005.03.22, Earle Martin wrote: >No, I don't want to register a FREE ACCOUNT! on your website just to post a >fucking comment. Yes, Flickr, I'm looking at you. My use.perl.org site requires registration to post. And it's a good thing, too, because it prevents a lot of comment spam, trolling, and other undesirable things (and I know this to be true, because by accident I enabled anonymous comments for a few months, and the amount of abuse on the site noticably increased, which is how I found out that I had enabled anonymous comments). Sure, it also eliminates some good content, but it's a worthwhile tradeoff, IMO. At 8:24 -0600 2005.03.22, Peter da Silva wrote: >Huh? I'm gonna spam through a password reset script? Yes. Trolls do it on Slashdot just to annoy the rightful user. There are other ways to deal with this, such as limits on how many password requests can be made from a given IP, or for a given account, but this is one way. We used to automatically reset the password when a new one was requested ... that was just asking for abuse. Now, we create a new password, but don't activate it until it is used. > Your question was... WHAT IS YOUR FAVORITE COLOR? [ ] > >Arse. What did I say for this one? Let's check my email... huh, they didn't >send the answer in the link. Of course. OK, let's see... "bluenogreen". Yeah, this is ridiculous. Worse, it is often used as a means to actually access the account, rather than to send you email providing that access, which means there is a backdoor into your account, which means your account is less secure. If someone knows your favorite color/mother's maiden name/pet's name, then they can access your account. > We'll send a password reset link to your registered mail address. > >OK. Fine. Thanks. But IT'S ONLY A WEB BOARD. MAILTO is plenty secure enough. If you mean that you just want your old password sent to you, the problem is that, on Slashdot, we do not KNOW your old password. It's stored crypt'ed. So we can't send it to you, we can only send you a new one, or a link to get a new one, etc. If you mean sending a new one vs. sending a link to get a new one, there's not a signigicant difference between the two, that I can see. >Arse! I don't remember what tagged address I used for this board... Yeah, that's dumb when both are required. Either one is sufficient, user name or email address. >and how >does this improve security anyway? And it's STILL JUST A FUCKING WEB BOARD! I tend to agree, but we got a lot of complaints from people who used private information as their password, or used the same password as other more important sites: if we made someone's password available by accident (as sometimes happens), then they got really angry that we exposed it because of what else it might be used for. So it was worthwhile to just take some extra steps to keep the password secure, because users are stupid.
From: Abigail Date: 20:09 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment --kG2acDqmwoBDcCHP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 22, 2005 at 11:21:18AM -0800, Chris Nandor wrote: >=20 > Yeah, this is ridiculous. Worse, it is often used as a means to actually > access the account, rather than to send you email providing that access, > which means there is a backdoor into your account, which means your accou= nt > is less secure. If someone knows your favorite color/mother's maiden > name/pet's name, then they can access your account. As if "favourite colour" is such a secure question. I mean, 95% of the people pick between less than 10 colours. One digit passwords give more security. Abigail --kG2acDqmwoBDcCHP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCQHt3BOh7Ggo6rasRAjWXAKCGl+ZaPUtQntqSeWbUrtnqKJMrYQCfWQnB 1RwHKWnEAqqPZ6iJORsAFcs= =0Q5C -----END PGP SIGNATURE----- --kG2acDqmwoBDcCHP--
From: Chris Nandor Date: 20:57 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment At 21:09 +0100 2005.03.22, Abigail wrote: >On Tue, Mar 22, 2005 at 11:21:18AM -0800, Chris Nandor wrote: >> >> Yeah, this is ridiculous. Worse, it is often used as a means to actually >> access the account, rather than to send you email providing that access, >> which means there is a backdoor into your account, which means your account >> is less secure. If someone knows your favorite color/mother's maiden >> name/pet's name, then they can access your account. > > >As if "favourite colour" is such a secure question. I mean, 95% of the >people pick between less than 10 colours. > >One digit passwords give more security. When I am required to answer questions like that, I usually give it arbitrary keyboard input, such as "dasdasdas" or "halhgalhgalhga", which is, also, is more secure.
From: Abigail Date: 21:31 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment --A47bNRIYjYQgpFVi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 22, 2005 at 12:57:20PM -0800, Chris Nandor wrote: > At 21:09 +0100 2005.03.22, Abigail wrote: > >On Tue, Mar 22, 2005 at 11:21:18AM -0800, Chris Nandor wrote: > >> > >> Yeah, this is ridiculous. Worse, it is often used as a means to actua= lly > >> access the account, rather than to send you email providing that acces= s, > >> which means there is a backdoor into your account, which means your ac= count > >> is less secure. If someone knows your favorite color/mother's maiden > >> name/pet's name, then they can access your account. > > > > > >As if "favourite colour" is such a secure question. I mean, 95% of the > >people pick between less than 10 colours. > > > >One digit passwords give more security. >=20 > When I am required to answer questions like that, I usually give it > arbitrary keyboard input, such as "dasdasdas" or "halhgalhgalhga", which > is, also, is more secure. Yes, you're in the 5%. Abigail --A47bNRIYjYQgpFVi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCQI69BOh7Ggo6rasRAgE0AJwJtBt3E0o6aUJ/7P5YjiQ22MENAwCcDQHn pFYZPpVe10aKFSbsnZDiiPg= =j3Yr -----END PGP SIGNATURE----- --A47bNRIYjYQgpFVi--
From: peter (Peter da Silva) Date: 21:19 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment > My use.perl.org site requires registration to post. And it's a good thing, > too, because it prevents a lot of comment spam, trolling, and other > undesirable things (and I know this to be true, because by accident I > enabled anonymous comments for a few months, and the amount of abuse on the > site noticably increased, which is how I found out that I had enabled > anonymous comments). If your website is valuable and important enough to people, then you can do that. But for flickr, or randomfansite.com? > At 8:24 -0600 2005.03.22, Peter da Silva wrote: > >Huh? I'm gonna spam through a password reset script? > Yes. Trolls do it on Slashdot just to annoy the rightful user. But requiring a troll to jump through an easy hoop like that won't stop the troll. > We used to automatically reset the password when a new one was requested > ... that was just asking for abuse. Now, we create a new password, but > don't activate it until it is used. That, or create a cryptographic key that can be used to reset the password. > > We'll send a password reset link to your registered mail address. > >OK. Fine. Thanks. But IT'S ONLY A WEB BOARD. MAILTO is plenty secure enough. > If you mean that you just want your old password sent to you, No. > the problem is that, on Slashdot, we do not KNOW your old password. If I meant "your old password" I'd say "your old password". A "password reset link" means just that. A link that you can follow or a message you can reply to that resets your password or otherwise gives you control when you reply/follow. > If you mean sending a new one vs. sending a link to get a new one, there's > not a signigicant difference between the two, that I can see. Well, the difference is that when you send the link you only actually change the password when the link is used, so it can't be used to DOS the account owner. But either of them fall under "MAILTO", either are quite acceptable.
From: Chris Nandor Date: 22:05 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment At 15:19 -0600 2005.03.22, Peter da Silva wrote: >> Yes. Trolls do it on Slashdot just to annoy the rightful user. > >But requiring a troll to jump through an easy hoop like that won't >stop the troll. It slows them down when they try to automate it with a script, which they have done in the past. >> We used to automatically reset the password when a new one was requested >> ... that was just asking for abuse. Now, we create a new password, but >> don't activate it until it is used. > >That, or create a cryptographic key that can be used to reset the password. Yes, that is another option. Not much difference. >If I meant "your old password" I'd say "your old password". Yes, but what you said didn't make sense, so I tried to guess. >> If you mean sending a new one vs. sending a link to get a new one, there's >> not a signigicant difference between the two, that I can see. > >Well, the difference is that when you send the link you only actually change >the password when the link is used, so it can't be used to DOS the account >owner. The same thing when sending a new one, for us. The new password is not active until it is used the first time, so the account owner can just ignore the email. >But either of them fall under "MAILTO", either are quite acceptable. But you were talking about the password reset link as though it didn't fall under "MAILTO."
From: peter (Peter da Silva) Date: 01:44 on 23 Mar 2005 Subject: Re: Sites requiring registration to post a comment > >But either of them fall under "MAILTO", either are quite acceptable. > But you were talking about the password reset link as though it didn't fall > under "MAILTO." AUGH. OK, I understand. That was a lead-in to the following examples. I should have put it on a new line. Sorry. Pour proofreeding.
From: Yoz Grahame Date: 00:09 on 23 Mar 2005 Subject: Re: Sites requiring registration to post a comment On Tue, 22 Mar 2005 15:19:25 -0600 (CST), Peter da Silva <peter@xxxxxxx.xxx> wrote: > > My use.perl.org site requires registration to post. And it's a good thing, > > too, because it prevents a lot of comment spam, trolling, and other > > undesirable things (and I know this to be true, because by accident I > > enabled anonymous comments for a few months, and the amount of abuse on the > > site noticably increased, which is how I found out that I had enabled > > anonymous comments). > > If your website is valuable and important enough to people, then you can do > that. But for flickr, or randomfansite.com? Absolutely! It's hard enough keeping comment spam off my blog, where I have special tools to do it. I don't want to have to spend ages cleaning it off my public photos too. Flickr has one of the most upbeat and friendly communities I've seen, and one of the prime reasons is that there isn't a load of random abusive scrawl all over it. -- Yoz
From: Luke Kanies Date: 19:25 on 22 Mar 2005 Subject: Re: Sites requiring registration to post a comment On Mar 22, 2005, at 8:14 AM, Earle Martin wrote: > No, I don't want to register a FREE ACCOUNT! on your website just to > post a > fucking comment. Yes, Flickr, I'm looking at you. Hey, at least you can _see_ the photos without an account. A friend pointed me to pictures of his new baby on Ofoto, and you have to make an account just to _view_ the damn things. Astounding.
Generated at 10:26 on 16 Apr 2008 by mariachi