Maidens of the Kaleidoscope
~Bunbunmaru News~ => Front Page Headlines => Topic started by: helvetica on February 17, 2011, 03:02:56 PM
-
A new profile field has been added to replace username as a method of identification. Under Profile -> Account Settings you will see a new option named "Nickname", it will show up right under your avatar so people can recognize you even if you change your display name. This is PERMANENT, so choose wisely what you wish to be there. We are leaving the field open for editing for the next couple of days to let people set their own, but after that it can only be edited by an admin. At registration time you are forced to fill it out.
The field will be locked for editing after 2/20. After this time only admins will be able to set and edit this field. Don't put anything stupid, this is going to show up on your profile for the life of your account and we will only change it in cases of offensive or inappropriate nicknames.
Usernames are now hidden again, only staff and the owner of the account can see the actual username you use to login with.
-
So, just so I get this straight, the nickname becomes the permanently displayed name in your profile where your username used to be visible, whie the username is the one with which you log on, and the two must not be the same...
Would it be possible to keep the former username as the nickname and changing the username instead? Aside from being what at least some people would prefer name-wise, it seems to me that it would also be safer than keeping the login name the same as before. Or maybe I am just being paranoid again.
If that is too much work in one way or another (I wouldn't know, sorry), well, too bad, but if you could do that, it would be pretty cool.
Anyways, props on the quick reaction to the attacks and thanks for the information and work you are doing. :)
-
Since I'll always be known as Gpop and I PREFER to be known as Gpop (not Koipop that was just for a time being) this is something very good for me. Thank you TSO.
-
So, just so I get this straight, the nickname becomes the permanently displayed name in your profile where your username used to be visible, whie the username is the one with which you log on, and the two must not be the same...
Yes, your login name (username) is now no longer visible by anyone except you or the staff. It used to be open to anyone who could view profiles as it was something that wasn't user-changeable and unique, but now because of the attacks it is hidden again. Your username should not match ANYTHING publicly identifiable on your account, so don't set your display name, your nickname, or any instant messaging nicks to your username.
Would it be possible to keep the former username as the nickname and changing the username instead? Aside from being what at least some people would prefer name-wise, it seems to me that it would also be safer than keeping the login name the same as before. Or maybe I am just being paranoid again.
If that is too much work in one way or another (I wouldn't know, sorry), well, too bad, but if you could do that, it would be pretty cool.
Oh we can easily do that. Just send a note to any of the admins (me, Kilga, Edible, Matsuri, 7hs and Ruro), and we can have your username changed and then you can go ahead and set that as your nickname.
I know this is kind of frustrating for everyone but we have everyone's safety and security in mind. By divorcing your public name from your login name, it will be nearly impossible for someone to even attempt to bruteforce your account.
-
One small suggestion: If someone's displayed name is the same as their nickname, it seems weird/awkward to have both shown beside each post. I think this is a cool idea overall, though, and is a great way to keep changeable display names without it getting out of hand.
-
One small suggestion: If someone's displayed name is the same as their nickname, it seems weird/awkward to have both shown beside each post. I think this is a cool idea overall, though, and is a great way to keep changeable display names without it getting out of hand.
There's no easy way for me to check if they both match, so it'll have to be for now.
-
I know this is kind of frustrating for everyone but we have everyone's safety and security in mind. By divorcing your public name from your login name, it will be nearly impossible for someone to even attempt to bruteforce your account.
That's awesome because my login name here is different from my nick :D
-
This is probably going to feel awkward for a few posts, as I haven't used a separate name anywhere since the summer of 2007 when I assumed the name *fakeremoved for security reasons* on the Internet for the first time. Right now I'm nicknaming myself as my main in MUGEN (even though I haven't uploaded a vid of it in months and am basically retired as far as that's concerned). Hopefully I can think of something better before the deadline, as it seems silly to have a name that sounds like the Touhou equivalent to Master Hand on a Touhou forum and an RP account to anyone who knows about Dragon Claw. I was actually going to do this in a MUGEN forum as an April Fool's joke, but decided not to.
If anyone cares, this is the image I'm using (I tried to upload it to Danbooru long ago, but it went unapproved). (http://www.pixiv.net/member_illust.php?mode=medium&illust_id=1808891)
Anyway, would it be risky to put my YouTube account in the URL field due to a match with my username?
-
I would recommend against it. But to be honest the risk of someone coming through, making 10 posts, just to harvest URLs/IM names to attempt logins is very low.
We can just change your username (what you log into the forums with) to something random but memorable for you if you're really worried though. Then you can have your nickname/display name be whatever you want.
-
This is great! Now I can change my display name when I get a new avatar without fear of becoming unrecognizable :D
-
Are we required to fill out this field? Do we have the option of leaving it blank?
-
We would prefer if you filled it out with something so if you change your display name for whatever reason there's something to fall back on. It's mandatory for all new registrations so I would say yes it's mandatory here, even if it's just the same thing your display name is. Eventually I will have some sort of code that checks your display name and if they're the same will remove the tag from view.
-
Thank you for this. It gives me an excuse to change my nick to this without making me a hypocrite about the irritation of nick changing obscuring identity.
-
Thank you for this. It gives me an excuse to change my nick to this without making me a hypocrite about the irritation of nick changing obscuring identity.
I recognize you by your siggy and avatar :3
-
We would prefer if you filled it out with something so if you change your display name for whatever reason there's something to fall back on. It's mandatory for all new registrations so I would say yes it's mandatory here, even if it's just the same thing your display name is. Eventually I will have some sort of code that checks your display name and if they're the same will remove the tag from view.
Alright then, done.
I appreciate the measures you're taking to make things more secure here, and that you're keeping things as transparent as possible about what's going on and why.
-
I have a question. What are you DOIIIIIING?!
Is the issue with people whose login and display name is identical? What's so bad about it? The password is supposed to be the secret thing that protects your account, not your username O.o
And if it's something about logging out people whose accounts had password failures, then... don't end their sessions, and instead come up with something better?
-
I have a question. What are you DOIIIIIING?!
Is the issue with people whose login and display name is identical? What's so bad about it? The password is supposed to be the secret thing that protects your account, not your username O.o
And if it's something about logging out people whose accounts had password failures, then... don't end their sessions, and instead come up with something better?
If your login name isn't publicly visible, it can't be brute forced. That's what this is all about; making it so that the login handles aren't publicly visible.
Eventually I will have some sort of code that checks your display name and if they're the same will remove the tag from view.
Well that was fast. Thanks.
-
OK code in place to hide the nickname field if it matches your current display name. :3c
I have a question. What are you DOIIIIIING?!
Is the issue with people whose login and display name is identical? What's so bad about it? The password is supposed to be the secret thing that protects your account, not your username O.o
No username, no bruteforcing. There's nothing to attempt password breaks at if you can't even get the login name. We're under bruteforce attack and will continue to be for the forseeable future. I cannot block the attempts as they're coming from all over the place, so to reduce the attack surface we are keeping login names out of anything publicly viewable.
After being in IT for the past 8 years I've learned never to trust users to make secure passwords, or to use a unique password for each of their logins. Rather than enforce a password strength policy that does nothing except cause headaches, I've chosen to hide from prying eyes the big piece of the puzzle, the login name. The ONLY people attacked so far had their display name equal to their username. Without a valid login name they can sit there and spin their wheels as much as they want but will get nowhere.
And if it's something about logging out people whose accounts had password failures, then... don't end their sessions, and instead come up with something better?
All current user sessions are invalidated when you fail to login as a security measure. This is so active sessions cannot be hijacked if such a vulnerability surfaced. I will not be disabling this or changing the behavior.
-
Honestly... the 'this is who it is!' type display is something I'm surprised didn't exist before!
-
OK code in place to hide the nickname field if it matches your current display name. :3c
Wow. That was fast.
I really have to commend you on the speed and efficiency with which this was taken care of. Great job, TSO.
-
It actually took quite a bit of work to get it together, before I was lazy and I just exposed usernames in the profile so people can see who's who that way. But out of necessity we are now hiding that information again so I had to figure out how to get a new profile field added. Not only that, but make it so it's only admin editable.
SMF has some barebones support for custom fields thankfully, still required some hacking to get the autohide and stuff like that :V
-
I chose something else for my nick that I probably wouldn't use as a screenname, though that was before TSO got that new coding in. Had I waited I would have kept the nick as the English spelling of my screenname. Oh well. I still like the name Sparky anyway. :V
-
Is there any reason you didn't just go with email addresses as login instead? Makes a lot more sense than having 3 different names to me, doubly so because no normal user can/could see emails.
I'm assuming that SMF doesn't do something braindead like sending over SHA1(username:password) on login.. which, to be fair, might be a bad assumption.
-
Is there any reason you didn't just go with email addresses as login instead? Makes a lot more sense than having 3 different names to me, doubly so because no normal user can/could see emails.
I did what was quickest and easiest. I considered email addresses but it would have required extensive rebuilding of the registration/login system. We've been wanting a solution to identifying people who change display names often anyhow, this kills two birds with one stone.
Your display name can match your nickname. When that occurs it just hides the nickname field. The only one of the three that has to be unique is your USERNAME, what you login with. Really the only people that have to rotate usernames are people who wish to use their "current" username as their new nickname.
I'm assuming that SMF doesn't do something braindead like sending over SHA1(username:password) on login.. which, to be fair, might be a bad assumption.
This was all bruteforcing from what I can tell. They just assumed display name = username and tried to bruteforce login those. The only people that had any sort of successful attempts all had their username matching their display name, and I don't see the bruteforce attacks ceasing anytime soon. The real big change was hiding the username again, and since it had been out in the open for so long, it was kind of a moot point without also recommending username changes.
-
Pointed this out in the attacks thread; figured I should point it out here too.
Anyone whose display name has ever matched their username should get their username changed, since old quotes keep their authors' old display names.
-
/nick Drake
-
We've been wanting a solution to identifying people who change display names often anyhow, this kills two birds with one stone.
Anyone whose display name has ever matched their username should get their username changed, since old quotes keep their authors' old display names.
Tangentially related, but I've wondered if it wouldn't make more sense for quotes to say, "quote from" Nickname instead of "quote from" DisplayName.
-
Tangentially related, but I've wondered if it wouldn't make more sense for quotes to say, "quote from" Nickname instead of "quote from" DisplayName.
I'm not sure what it'd take for me to do that. I can look into it. Part of the problem is the quote name is actually baked into the post at the time of posting (look at the quote string next time you post). So it's not automatically updated when people nickchange etc.
-
Hopefully this should end the problems caused by the attacks. I haven't been around MotK for that long, anyway, so changing my display name/nickname doesn't hurt me too much, anyhow. Thanks for the effort! :D
-
I actually like having 'legacy' quoted-by names; lets you see what's going on if the conversation relied on namechange shenanigans.
But eh.
-
Seconding E-Mouse on this.
-
I couldn't think of a sensible nickname and i removed the reference to my nickname in my display thing too.
Will try to think of something sensible before it's mod only.
-
I couldn't think of a sensible nickname and i removed the reference to my nickname in my display thing too.
Will try to think of something sensible before it's mod only.
Your nickname and display name can overlap as much as you want?your username is what you want to keep secret..
-
A lot of people seem to be confused about the terminology and what name does what, so maybe a word switch is in order? Login name, profile name, and display name, perhaps?
-
Yeah, that would be the clearest set of terms for it, I think, but I'm not sure how easy that would be to set up.
-
How about the "Username" part in people's profile pages? That has their login names right there, plain as day.
-
Only the user in question (and the admins?) can see the Username field on the profile page.
-
How about the "Username" part in people's profile pages? That has their login names right there, plain as day.
Only staff and yourself can see it. You can't see it on anyone else's profile.
-
Thanks TSO, I think this will make things a lot safer yes.
-
Hmm ... Toying with the idea of changing my login-name to something which would function as a fairly strong password ... :3
-
Not only safer, but quicker on Identification!
Many thanks!
-
Done.
this is wonderful, now i have two wonderful names XD :D
-
Hmm. How curious.
Well, I couldn't think of anything witty, so I went with a quick Google translation and came up with fanatico de zorro.
I'm probably gonna toy with things a bit more, now, though.
-
After reading the posts here I am more confused than before.
I do understand that "User Name" is supposed to be the log-in name which you should keep secret.
Will the "Nickname" always stay where it is displayed now or will it replace what "Name" currently does in the Account Settings?
If so, does that mean we will not be able to change our displayed names in the forum at all?
-
You can change display name freely. Nickname will be displayed if your display name (the "name" field in your profile) does not match it. Nickname will not be user changeable, once it's set it can only be changed by an admin. We're allowing people to freely edit it until the 20th since we just introduced the field, but after that you will not be able to change it.
The idea is to have some sort of indicator in which to identify you by. This used to be the username field, but now that it's obvious we're going to be attacked for the foreseeable future, I decided to implement a new profile field to serve the purpose that wasn't involved in the login process at all.
-
But what if I want my user name to be my nickname?
-
But what if I want my user name to be my nickname?
That pretty much defeats the purpose. The point of the new usernames is so nobody can hack you / log you out. I wanted to keep Agent of the BSoD as my username, but if a new one is in order, you better think of one. It's just something that people will have to get used to. It's not really that big of a deal anyway, since no one else can see it. (except the admins, and you)
-
But what if I want my user name to be my nickname?
Then give me a new username to change your current one to?
-
Oh, for some reason I couldn't think you could do that. I'll get back to you later then.
-
You can't but an admin can.
-
How do we change our login names, anyway? gfdsgfsdg nevermind
-
How do we change our login names, anyway?
Only admins can change usernames, so you have to PM an admin.
-
I can't see the field. I know it's a long shot to ask (due to ridiculousness), but has it not been implemented for all accounts yet or is there some other problem?
-
I can't see the field. I know it's a long shot to ask (due to ridiculousness), but has it not been implemented for all accounts yet or is there some other problem?
The field will be locked for editing after 2/20.
-
No I said from the start the field is open for editing up until the 20th. That was 2 days ago. You now have to ask an admin to get the field changed.