Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
I've got accounts everywhere; and I'm tired of it

By tnt in Internet
Fri Mar 02, 2001 at 05:19:55 PM EST
Tags: Round Table (all tags)
Round Table

At every new weblog, every new news site, every new store site, and at almost every new website in general, I have to create a new account. I need a new account to post in the site's forums, or to read a story, to purchase a product, or....

But I am tired of having all these accounts everywhere. All these user names and passwords to keep track of; all my stuff scattered across multiple websites. I want some kind of unity. And I do not think I am alone in this. So what should be done?


ADVERTISEMENT
Sponsor: rusty
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
comments (24)
active | buy ad
ADVERTISEMENT

The main problems with having accounts everywhere are:

  1. I have to keep track of all these user names and passwords;
  2. I have stuff -- files, diary entiries, comments to stories, web pages, articles, etc -- scattered across the Web (and the Internet in general) with no easy way for me to see them without having to hunt them all down.

I do not think we can simply do away with user accounts. There is a need to have an identity. For example, simply letting everyone just post to a forum, without having some way of telling the author of one post (in the forum) from another would be incredibly confusing. Sure a person could sign each post at the end -- like a letter -- with something like:

Hello,

Blah, blah, blah. Blah blah!


Truley Yours,
Joe Blow
But this technique of identifying people has problems. For one, what if you forgot to sign it? Also, what if someone else gives something they write your signature (and impresinates you)? So this would seem to not be the answer.

Some groups now have universal account systems that can be used from website to website. That way you only have to remember one user name and one password. [Example of these systems are: Microsoft's Passport, and AOL ScreenNames. If anyone else knows of any more examples, I would like to here about them.] These systems make it so any website can use these account systems as their own; and thus fixing problem (1) [listed at the begining of this artcle]. And this technique seems no less safe or secure (to the user) than each website having their own accounting system; although there are issues with privacy [with these systems].

As an alternate possibility, we could use digital signing techniques to digitally sign everything. [An example of this technique would be the use of public-key/private-key techniques. I not an expert on this topic, so I would be interested in hearing other methods for digitally signing things.] This too solve problem (1) [listed at the begining of this artcle].

But are these the only techniques? You tell me.

Also, problem (2) [listed at the begining of this artcle] has not been solved by any of these. None of these techniques gives me an easy way of seeing all my stuff scattered across the Web.

I think whatever the solution is used [to solve problem (1) and problem (2) listed at the begining of this artcle], we need to give the user as much privacy as possible. The universal account systems [like Microsoft's Passport and AOL ScreenNames] have the problem that one entity will be tracking your activities on the Web. [Something I have a huge problem with.]

Also, if you were thinking that to solve problem (2) [listed at the begining of this artcle], to have a central website, or some other entity, have a records to keep track of all your stuff, then I would say think again. This too does not respect your privacy.

As I see it, the best way to solve problem (1) [listed at the begining of this artcle], is to use digital signing techniques [without a central place that gives out and stores signatures, but where everyone can create and use a signature at their whim]. And, the best way to solve problem (2) [listed at the begining of this artcle], is for each user to have some kind of application [that they are in complete control of] that will keep track of their stuff. [Of course to do this, some kind of infrastucture, on the web, needs to be created. Maybe a system similar to the RSS system -- a custom XML format that is used to generate data, given a user has authenticated themselves, which is all communicated over a secure connection.]

But that's my opinion (given my knowledge of things, right now). So what does everyone else have to say? What does everyone else think?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Microsoft' s Passport
o AOL ScreenNames
o Also by tnt


Display: Sort:
I've got accounts everywhere; and I'm tired of it | 54 comments (45 topical, 9 editorial, 0 hidden)
Power to the Client (4.25 / 4) (#3)
by zephiros on Fri Mar 02, 2001 at 12:16:44 PM EST

Right now, Mozilla keeps track of all that information for me. For the most part, it does a pretty good job. The problem, from my standpoint, is that there is no easy, ubiquitous way to pack that information up and carry it with me. IMO, good smart card integration in Mozilla and universal smart card access on workstations could fix this.

Ultimately, I'd rather control how my data was stored and encrypted than trust a certificate authority to do this on my behalf. I don't think this is the "driving safety vs. flying safety" fallacy, either. I've seen too many bone-headed implementations of "secure" web systems to trust one with all my web mail, e-com, and discussion board passwords.
 
Kuro5hin is full of mostly freaks and hostile lunatics - KTB

Need for infrastructure (none / 0) (#17)
by tnt on Fri Mar 02, 2001 at 02:37:36 PM EST

You said:

The problem, from my standpoint, is that there is no easy, ubiquitous way to pack that information up and carry it with me. IMO, good smart card integration in Mozilla and universal smart card access on workstations could fix this.
One way of fixing this would be to have an infrastructure in place (like I mentioned in the article), where you could easily grab your information from each place. Something maybe similar to the way you can currently grab news from websites using RSS. Of course there would liely need to be an agreed upon set of XML formats to communicate this information. One XML format for forums; another XML format for your store purchase history, etc.



--
     Charles Iliya Krempeaux, B.Sc.
__________________________________________________
  Kuro5hin user #279

[ Parent ]
Overkill (none / 0) (#39)
by zephiros on Sat Mar 03, 2001 at 05:38:22 AM EST

If the problem were "how do I guarantee that, even if a retailer leaks my card number, no one else can make purchases with my credit card?" then perhaps a PKI and digital certificates would be an appropriate solution. OTOH, if the problem is "how do I cope with having one password at slashdot, one at kuro5hin, one at hotmail, etc," then, IMO, a PKI is overkill. Rusty and Inshiro have no legitimate need to be able to verify that I'm actually Jimmy Hatt, living at 321 Lonely St, c/o Heartbreak Hotel. All they need to verify is that I'm probably the same person who logged in as 'zephiros' last time. Client-side password management is more than equal to this task.
 
Kuro5hin is full of mostly freaks and hostile lunatics - KTB
[ Parent ]
The biggest problem with #2... (4.80 / 5) (#4)
by ramses0 on Fri Mar 02, 2001 at 12:24:09 PM EST

...is interfaces. I've done quite a bit of web-based development, 90% of the time is spent writing code/navigation so that the data you display makes sense.

For example: here on K5, we get, let's say 50+ comments a day. The only reason that K5 is still useful is because all those comments are categorized, parented, nested, etc... If K5 were just a flat text file of 50 comments it would be significantly less useful.

The problem is not with getting the data (SELECT * FROM comments_table WHERE username LIKE 'tnt'), the problem is putting that data in the proper context, and displaying it within clumps that make sense.

The bigger problem with using the internet to store stuff, is that I can't get to "my" data. Example: mail.yahoo.com. I used to have a simple pop/imap account with my university. We used pine as our mailreader, and before I graduated, I did a mass dump of all my messages to a few text files, and downloaded them to my home computer.

Since graduating, I've used yahoo's web-based mail, and I like it. Accessible from everywhere, high reliability, reasonably secure without me worrying. The problem is that I can't get a straight text-file dump of my mail in my folders so that I can:

  1. have offline access to it (on a laptop, for example)
  2. grep -2 'close_friend@something.com' *.mbx | more
  3. make my own backups of it (ie: burn to cdr)
  4. write my own interfaces into it (ie: parse out all the subject lines, sorted by date & person, who I mailed between 1996 and 1997 and message body included a URL).
  5. move my mail archive to a different provider (more secure, more stable, whatever)

To yahoo, my email is "sticky content" and the fact that I can't get it out of them is a "switching cost". To me, my email is mine, and yahoo is just holding it for me. The fact that I can't get it from them is seriously making me consider setting up my own sort of mail-server/mail archive.

That is the biggest problem with using random internet websites to store your data. It's all stored in essentially a proprietary format, and the companies who are storing it do not necessarily want you to get your raw data back. Even K5. It would be fairly straightforward to rectify (SELECT ... INTO OUTFILE ...; tar cf blah.tar outfile.txt; [a href=blah.tar]download[/a]), but why would anybody want to do that? ;^)=

--Robert
[ rate all comments , for great justice | sell.com ]

Not entirely true (5.00 / 2) (#38)
by decaf_dude on Sat Mar 03, 2001 at 01:22:36 AM EST

I use Yahoo! Mail too for the same reasons (along with a few other of their features, such as calendar, notepad, etc.). Yahoo! allows for POP access to your mail ('Options' -> 'POP Access & Forwarding'), so when my mailbox becomes too big (e.g. once a month), I simply use my regular POP client and download my mail on my desktop for archiving. If your POP client allows, select 'Erase from Server', or you can manually delete all messages in Yahoo! after you've downloaded them into your POP client. I used a similar technique to "rescue" some of my old mail on Hotmail (tip: MS Outlook Express can access HTTP mail).

--
http://slashdot.org/comments.pl?sid=89158&cid=7713039


[ Parent ]
Safety and security. (5.00 / 1) (#5)
by Kugyou on Fri Mar 02, 2001 at 12:26:29 PM EST

Now, granted, there's always the paranoid view that safety lies in obscurity. Hide everything all over the place and it's safe. To a lesser extent, I have to agree. I tend to have a few main passwords that I use, or use variations of, for most of my site accesses. But my usernames on those sites are - for the most part - not even close to the same. When you start getting into things where your one username/password pair gets you into 30,000 sites, that's another issue altogether. For an example of this that does not involve forums and 'your stuff', look at AdultCheck or any of the AVS's out there. That one password can get you into all sorts of sites, and if someone gets their hands on that password (and keeps it to themself so that the AVS doesn't know it's been stolen), they now have a free membership because of your password. Now, let's get paranoid. When you have one username, one password, and the possibility of a universe of accessible information, a single compromise means a universal compromise. The issue of security does not lie in the time it takes one person to access one password and crack one account, it lies in the time it takes that person to access your entire universe of data.
-----------------------------------------
Dust in the wind bores holes in mountains
Most of this is already solved... (4.00 / 1) (#6)
by jd on Fri Mar 02, 2001 at 12:42:37 PM EST

...with authentication servers, such as Kerberos. (I suspect that that is part of the reason Microsoft re-implemented - cough! - it, to provide many services with one username/password.)

Thinking up something for Freenet (none / 0) (#8)
by hardburn on Fri Mar 02, 2001 at 12:54:41 PM EST

I just had a blinding flash of insight for something that might work on Freenet. A cookie containing an SVK public key is kept on your system. This cookie can be made so that it appears to be assigned by all, so anybody can view it (I believe this is possible to do, I'd have to look it up to make sure, though).

When you go to a site, and you log in under (say) "user", it then looks in Freenet at SSK@<pu-key>,user, which is an XML file containing various information about you.

Just a thought. Addmittedly, this isn't really the place for it, but I just had this idea while reading this story.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


Correction (none / 0) (#9)
by hardburn on Fri Mar 02, 2001 at 12:55:31 PM EST

SSK@<pu-key>,user

s/<pu-key>/<pub-key>/

----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
Nope (5.00 / 1) (#29)
by rusty on Fri Mar 02, 2001 at 05:12:02 PM EST

RFC 2965. Cookies must have at least two dots in the HOST field, and if only one is supplied, another will be prepended to the beginning of the string. So 'www.kuro5hin.org' is legal, and will match this host. 'kuro5hin.org' will be interpreted as '.kuro5hin.org' and will match any host '*.kuro5hin.org'. But there's no way to set a cookie that's readable by anyone.

There are, however, a bunch of clever ways you could get around this. For example, an image can set a cookie. If you had a freenet gateway at "www.globalpasswords.com", any site that wanted to work with that system could simply include a 1x1 clear graphic that served from that domain, and could read and set your cookie for any member site.

Even simpler would be to just make it easy for site owners to set up their own freenet gateways. They could each set their own cookie, referring to the same login resource on freenet. It would be as transparent, but wouldn't require you to rewrite the cookie spec. :-)

____
Not the real rusty
[ Parent ]

hacking around cookies (none / 0) (#45)
by hardburn on Mon Mar 05, 2001 at 10:08:13 AM EST

The hack you mention is unacceptable for Freenet, because it needs a centralized server to work (Freenet abhors any centralization). If you have to have centralization in Freenet (except as temperary hacks, as in the case of inform.php), then it isn't worth doing.

Once again, I venture into territory unfamilier to me. You could set the owner as a Freenet SSK, such as "freenet:SSK@<pub-key>,.owner.free", then have the page load an image at "freenet:SSK@<pub-key>,.owner.free/blank.png".


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
password problem (none / 0) (#11)
by interiot on Fri Mar 02, 2001 at 01:28:09 PM EST

A possible solution would be to generate the password based on some fact(s) about the site. Possibilities might include the domain name or the whois registrar.

It could be implemented via a javascript bookmark that either calculates the password in the browser, or pops up a window to a CGI script you've made.

Microsoft Passport (2.75 / 4) (#12)
by DeadBaby on Fri Mar 02, 2001 at 01:36:17 PM EST

This is the basic idea behind MS passport services. The same username/password that logs you into hotmail can log you into MSDN or beta.microsoft.com. It works very well.

I could see this being a popular service if it were free and open for anyone to use. (including being very easy to support) I just use the same username/password for almost every account. Sure, it's a risk but it's so much easier.

I'd love to see smart cards become a standard device on new PC's.
"Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity -- in all this vastness -- there is no hint that help will come from elsewhere to save us from ourselves. It is up to us." - Carl Sagan
Read the article? (none / 0) (#21)
by Speare on Fri Mar 02, 2001 at 03:47:21 PM EST

The author mentioned Passport, and raised specific problems with using it.

If you're going to post a reply, read the whole writeup, and not just the part over the fold?


[ e d @ h a l l e y . c c ]
[ Parent ]
Cookies. (1.60 / 5) (#14)
by Signal 11 on Fri Mar 02, 2001 at 02:14:04 PM EST

Wasn't the W3C working on something called the "street performer protocol" to deal with problems like these? IIRC, there were some "privacy" concerns with the protocol, but it has extensive access controls to say what websites do, and do not, get access to - and it is unified on the client-side. With a simple modification to current web browsers to do this, we could let our web browsers handle password generation, account creation, etc., automagically.




--
Society needs therapy. It's having
trouble accepting itself.

no (4.00 / 1) (#16)
by delmoi on Fri Mar 02, 2001 at 02:25:24 PM EST

they are working on p3p, street performer protocol is something else
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
Mac keychain (4.00 / 2) (#15)
by Ludwig on Fri Mar 02, 2001 at 02:22:00 PM EST

The Mac OS's Keychain feature (don't know if it's implemented in OS X yet) stores your various logins & passwords in a local file, so you only have to remember one password to unlock your keychain. Problem is, support for the Keychain is application-dependent, and I don't think any browsers have had support for it written into them yet.

*ahem* (3.50 / 2) (#50)
by Kyrrin on Wed Mar 07, 2001 at 05:06:27 AM EST

iCab does!

Not a part of the iCab team, just in love with the browser...


"I'm the screen, the blinding light; I'm the screen, I work at night. I see today with a newsprint fray, my night is colored headache grey, don't wake me with so much..." -- REM
[ Parent ]
Problems with one account (4.00 / 1) (#18)
by skim123 on Fri Mar 02, 2001 at 03:11:50 PM EST

Sometimes I want to have different accounts on different sites. For example, I'd like to be able to post here as skim123 but perhaps I don't want to be posting as skim123 on FurrySquirrelSexDiscussion.com, for fear of people coming to realize that I have a squirrel fetish.

The Passport stuff for Microsoft's sites are nice enough, but it can be a pain because sometimes I want to be my default self for Hotmail/MSN, but for other MS sites I want to be a different user.

I agree that having a bunch of nicks/passwords is annoying. If I want to be the same person on a number of sites I'll use the same nick (as I do here and on /.), and similar passwords (not identical rusty, just similar ones). :-)

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum


Good Article (4.00 / 2) (#19)
by Eloquence on Fri Mar 02, 2001 at 03:26:31 PM EST

Identity scattering is a real problem. And I agree with you that the directories by AOL, Microsoft, Yahoo (Yahoo! IDs), Amazon ("One-Click" cookies) etc. cannot be the solution. Not only because of user tracking, also because it effectively gives these corporations the possibility to lock out users from large parts of the Internet.

Not when it's very easy to create fake accounts, but this can be changed once one system has established a monopoly: Just require users to register with a SSN, do telephone confirmations, require digital signatures you only get at a bank or some other identity-check. Now, once you lock me out of this system forever, I cannot easily get back in. This is a little like requiring to give out your personal information when you buy a newspaper or a book -- and throwing you out if you've bought the wrong books or newspapers in the past.

Your solution of doing it user-side makes a lot of sense. Unfortunately, it will be hard to get this implemented in web browsers, but new decentralized networks will have to take care of it: Both the user-side tracking of your information and digitally signing everything you write (pseudonymously or with your real name).
--
Copyright law is bad: infoAnarchy Pleasure is good: Origins of Violence
spread the word!

The strategy I use... (4.00 / 2) (#22)
by slambo on Fri Mar 02, 2001 at 03:47:58 PM EST

My strategy is to use the same login name on all the sites if possible. Sometimes my login is already taken, but so far I've been able to append 42 to the login and successfully create an account.

Passwords are a different story. I create a unique password for each site, but this introduces the probability that I'll try to use the wrong password on a site. I haven't come up with a simple and secure method for creating and remembering these unique passwords yet, so I'll just have to struggle along with the occasional forgotten one.
--
Sean Lamb
"A day without laughter is a day wasted." -- Groucho Marx

I do that too, but.... (none / 0) (#24)
by tnt on Fri Mar 02, 2001 at 04:31:22 PM EST

I too try to get the same user name on most sites, if I can. Which does make things a bit easier.

As far as passwords though, I have a book that I write them down in. (I have way too many passwords.)



--
     Charles Iliya Krempeaux, B.Sc.
__________________________________________________
  Kuro5hin user #279

[ Parent ]
Securing Passwords? (none / 0) (#30)
by SDrifter on Fri Mar 02, 2001 at 05:27:55 PM EST

I've tried to think of ways to secure passwords, also, and the best thing that I can think of (if you have a PDA or something like it, so your password doesn't show up on your monitor) is to take the site's name and somehow hash it using your password as a key. It would solve the problem of generating a unique password for each site, and there's only one you would really have to remember, as long as you had the system to generate passwords handy.

Just a thought.


--
It burns!!!
It's loaded with wasabi!
[ Parent ]
PDA for passwords (4.00 / 1) (#33)
by static on Fri Mar 02, 2001 at 08:54:35 PM EST

I have a little program a friend beamed to my Visor called CryptInfo. I store all of my userids and passwords in it. Doesn't solve the proliferation of passwords, but gives you a method of controlling them.

As for picking passwords... I have a few fantasy worlds I've created. Very few people know any details about them, so all the invented names (towns, cities, rivers, countries...) make for good passwords. Sometimes I have a sequence as I move 'round a region. :-)

Wade.

[ Parent ]

Full View (3.00 / 1) (#23)
by finial on Fri Mar 02, 2001 at 04:29:05 PM EST

Fidelity Investments has a very cool feature called "Full View" where you can enter in all of your account information from whereever and view it all on one page at Fidelity.

It's from a company called Yodlee. They have a demo at their site. It's geared toward finiancial data, but there's no reason it couldn't be done elsewhere. It summarizes all of the accounts you've enter and gives you a link to log you in and go that site directly. Bank accounts, investment accounts, charge card accounts, frequent flyer accounts, electric bills, all kinds of things. It even includes Yahoo!Mail (and other) accounts.

It's very cool. Others besides Fidelity offer it including Yodlee themselves. I believe it's a free service.

There's no reason this couldn't be done for every other site as well.

tracking (1.00 / 2) (#25)
by dzimmerm on Fri Mar 02, 2001 at 04:38:25 PM EST

Everyone who uses broadband should be aware that every TCPIP packet that is not purposely mangled has the MAC address of your ethernet card on it.

This address could be used for identity verification on forums if they really cared about such things.

I gave this a +1 because it raises questions that many of us have to deal with on a daily basis.

Presently the way I deal with this is that I have one user ID and one password I use for any account that does not have money or work security attached to it. It is my throw-a-way account. I use a completely different set of passwords where they really count in banking and security at work. trying to maintain seperate passwords for accounts I might visit once a month would only result in lots of forgotten passwords.

My 2 Cents worth,

dzimmerm

P2P Protocols (4.00 / 1) (#27)
by tnt on Fri Mar 02, 2001 at 05:00:16 PM EST

You said:

Everyone who uses broadband should be aware that every TCPIP packet that is not purposely mangled has the MAC address of your ethernet card on it.
That's why I like alot of these P2P protocols. You never actually can tell who the message can from. You can only tell who handed the message to you [and thus who to pass messages to if you want to talk back].



--
     Charles Iliya Krempeaux, B.Sc.
__________________________________________________
  Kuro5hin user #279

[ Parent ]
Bollocks (4.00 / 2) (#31)
by fvw on Fri Mar 02, 2001 at 05:33:53 PM EST

Everyone who uses broadband should be aware that every TCPIP packet that is not purposely mangled has the MAC address of your ethernet card on it.
That just isn't true (unless you're using ipv6, and even if that's true it isn't necessary). Get your facts straight.

[ Parent ]
MAC address (3.00 / 2) (#48)
by Corwin on Mon Mar 05, 2001 at 01:47:55 PM EST

Actually, it is true. Each packet sent out from a network card includes the MAC address of the network card. Granted, it's not in the TCP/IP portion of the packet, but there's much more to a packet than just that. Each layer of the OSI model puts header information on the packet. TCP puts on port numbers (Transport layer), IP puts on the IP address (Network layer) and the Data Link layer puts on the MAC address. After that, it all gets sent out on the wire.

Network addresses are only useful for routing across the internet. Your network card doesn't look at the IP address when receiving data; instead it looks at the MAC address since MAC addresses are supposed to be unique. Any packet matching its MAC address will be accepted and read. Switches store databases of MAC addresses such that they can forward data appropriately, and are essentially "routers" of MAC addresses. Difficult to do that if the MAC address is not in the datagram.

This is the case for dialup modems as well, lest I am mistaken.

See here for a diagram of the ethernet packet. All the network data, such as IP address, is included in the "data" segment of the type 0800 RFC 894 datagram. (Second half of the first large diagram)

Enjoy!

---
I'm in search of myself. Have you seen me anywhere?
[ Parent ]
Nope. (5.00 / 2) (#49)
by sec on Mon Mar 05, 2001 at 06:21:52 PM EST

Each packet sent out from a network card includes the MAC address of the network card. Granted, it's not in the TCP/IP portion of the packet, but there's much more to a packet than just that.

However, the TCP/IP portion of the packet is the only part that makes it past your broadband ISP's gateway. The MAC address of your ethernet card has long been stripped off by the time the packet makes it to another host on the internet.

This is the case for dialup modems as well, lest I am mistaken.

Dialup modems don't even have MAC addresses. Furthermore, PPP is, as it's name rather subtly implies, a point to point protocol, so routing is basically a non-issue.

See here for a diagram of the ethernet packet. All the network data, such as IP address, is included in the "data" segment of the type 0800 RFC 894 datagram. (Second half of the first large diagram)

Irrelevant. As I said before, this information is long gone by the time your packet hits the Internet itself.



[ Parent ]

Stripped off (5.00 / 1) (#51)
by Corwin on Wed Mar 07, 2001 at 10:56:57 AM EST

However, the TCP/IP portion of the packet is the only part that makes it past your broadband ISP's gateway. The MAC address of your ethernet card has long been stripped off by the time the packet makes it to another host on the internet.
This would certainly be the case if the ISP were using Network Address Translation (in which case, the TCP/IP part is also stripped off) but not all of them do. I know that my broadband ISP gives me world-routable addresses and that people can contact my computer directly. To my knowledge, cablemodems aren't intelligent enough to strip off and replace MAC addresses on the fly.

For all I know, you may be right, but I'd like more of a reference than simply your say-so. <;
Dialup modems don't even have MAC addresses. Furthermore, PPP is, as it's name rather subtly implies, a point to point protocol, so routing is basically a non-issue.
I'll accept that. I wasn't certain wether they had MACs or not, so lacking data I assumed that they had.

---
I'm in search of myself. Have you seen me anywhere?
[ Parent ]
not (2.50 / 2) (#52)
by fvw on Thu Mar 08, 2001 at 12:31:44 PM EST

Sorry, they just aren't. The MAC is only available at the ethernet level, agreed? What is the lowest level protocol common to the entire internet? IP. Which is above ethernet, and hence the whole concept (which is an ethernet 'packet') is not available on the internet. As for references, I'm sure rfc 791 has something to say on the matter (www.ietf.org)

[ Parent ]
check out (none / 0) (#41)
by 31: on Sat Mar 03, 2001 at 08:21:00 PM EST

http://www.wanresources.com/tcpcell.html

It shows exactly what's being transmitted in tcp/ip. Mac address isn't one of the things it needs to know.

-Patrick
[ Parent ]
Wrong (none / 0) (#44)
by hofmann on Mon Mar 05, 2001 at 08:11:40 AM EST

As already stated, TCP packets nor IP packets carry the MAC address, as these are responsible for higher layers of network communication than the hardware layer switching ethernet packages. You are also forgetting about the broad choice of other transport types like PPP, slip, ...

Even on ethernet networks MAC addresses can easily be spoofed, e.g. with linux `ifconfig` you can set your MAC address to any value, working with most ethernet drivers.

[ Parent ]

I have no problem with accounts... (none / 0) (#32)
by PresJPolk on Fri Mar 02, 2001 at 07:04:37 PM EST

I keep a list of my accounts, with their passwords.

Bruce Schnieier has written that cryptography is about turning larger secrets into smaller ones. So, just apply that idea. Always use randomly generated passwords, and store them all. Store them securely, though, using some good strong cryptography.

Just don't forget *that* password, or write it down somewhere physically insecure.

In a book (none / 0) (#36)
by tnt on Fri Mar 02, 2001 at 09:33:21 PM EST

I store most my computer paswords [and user names] in a book. [My most important ones I just memorize, and don'r write down.] It seems to be a very secure method.



--
     Charles Iliya Krempeaux, B.Sc.
__________________________________________________
  Kuro5hin user #279

[ Parent ]
Passwords, indexing and persistance (4.00 / 2) (#34)
by substrate on Fri Mar 02, 2001 at 08:55:59 PM EST

I try to use the same account names everyplace, suprisingly it hasn't been a problem. That only solves part of the problem though. For passwords I pick random ones. Remembering them was never a problem when I only had 8 or a dozen to remember. Now with the myriad sites I can't reliably do it anymore. I keep a list of my passwords PGP encrypted, and pick whatever I need. I'd like to see something more elegant here, maybe I'll write something.

Finding my content isn't presently possible. A lot of stuff I've written can be found via google, but a lot of it can't. Not only that but even if google archives it, how persistant is the data? I can find my writings (under my real name) dating back to 1992, but only because it still physically exists someplace. As far as I know there's no real system for archiving and indexing data. Some people like this, some don't (I recall some CEO raising a rucus trying to get his older commentary removed from deja some time ago)

If I post something on slashdot it does find its way to google and is more or less searchable. Eventually slashdot will go the way of the dinosaur and that information will be gone. Kuro5hin doesn't seem to be indexed, I know I've tried finding my posts via google and haven't been able to.

This has probably wandered away from what you were looking for, which would be a way for a user to easily track their posts, not for the internet in general. I think this might be doable with external software. In a couple of minutes I will submit this and a web page will be popped up. I could drop the URL in a text file (probably with some annotation so I know what it was about) and return to it later. At least till kuro5hin disappears.

Be careful (none / 0) (#40)
by DJBongHit on Sat Mar 03, 2001 at 12:19:18 PM EST

try to use the same account names everyplace, suprisingly it hasn't been a problem.
You have to be careful with this, though. A lot of sites store the passwords in complete plaintext in the database, and so you have to have complete faith in the admin of the site to implement proper security measures so that their data doesn't get stolen. (Scoop and Dope do encrypt the passwords, though).

~DJBongHit

--
GNU GPL: Free as in herpes.

[ Parent ]
I am careful (none / 0) (#42)
by substrate on Sat Mar 03, 2001 at 09:38:00 PM EST

I use random passwords, I don't use the same one at any two locations. It's a bit of a pain since if I ever lose my encrypted password list I'm screwed, but its also secure.

[ Parent ]
security (none / 0) (#54)
by Locus27 on Fri Apr 06, 2001 at 01:12:49 PM EST

i use, or try to use, the same account name every place i go. i also have 2 passwords. one for secure things, like paying bills online, and one for insecure things, like kuro5hin and /. even so, there's nothing that i do on the net that could possibly cause me any harm, financial or otherwise. i'm sure someone, somewhere out there is saying "well they can get your credit card number." well, it won't do them any good. my credit card company calls me to get authorization for any purchases made online or over the phone. sure, it's a pain in the ass sometimes, but they're usually prompt about it, and it's never held up a purchase i've made. so i guess my point is, why's everyone so worried about their passwords and whatnot? for average joe user, you're most likely not a target of skiddiots with malicious intent.

as for assembling all your crap in one place, or from one launching point, can't help ya with that one, though it is a great idea, and i'd like to see something like that, as long as it's not a sandbox type thing.

"You're one fucked up cookie."
-Shawn R. Fitzgerald

[ Parent ]

Another possibility (3.50 / 2) (#35)
by Xpresso85 on Fri Mar 02, 2001 at 09:13:12 PM EST

Coulden't you just make a website that verrified digital signitures and a browser plug-in that could use a javascript function to automaicly sign things? If so, they would never know who you were, only that you were the same person that registered that username. Also, they could just use your public key as the user name and an alias for your BBS name. This way, the login site would sent random text i and you would returen signed(i) and your public key. At this point, the server would verrify that the public key and signed text worked, and let you in remembering that you are Joe User.

Re: Another possibility (none / 0) (#47)
by tnt on Mon Mar 05, 2001 at 11:28:59 AM EST

You said:

Couldn't you just make... a browser plug-in that could use a javascript function to automaicly sign things? If so, they would never know who you were, only that you were the same person that registered that username. Also, they could just use your public key as the user name and an alias for your BBS name.
This is pretty much what I was thinking. Using a `digital signature' as your ID. (The implementation of the `digital signature' would probably be a public key. [To be honest, I don't know if there are other kinds of `digital signing' methods that have been created (yet).])



--
     Charles Iliya Krempeaux, B.Sc.
__________________________________________________
  Kuro5hin user #279

[ Parent ]
Mozilla (none / 0) (#43)
by Kyobu on Sun Mar 04, 2001 at 10:37:17 PM EST

Mozilla fills out forms for you, if you want it to. You can even have multiple options for how you want to fill out a specific form. This doesn't address the desire for a central place to get account info, but it can be convenient.

You can't take it with you (none / 0) (#46)
by tnt on Mon Mar 05, 2001 at 11:18:28 AM EST

The only problem with this is that you can't take it with you (as you move from computer to computer). [But if you only use one computer all the time, then this would be helpful.]



--
     Charles Iliya Krempeaux, B.Sc.
__________________________________________________
  Kuro5hin user #279

[ Parent ]
LDAP (none / 0) (#53)
by orlando on Fri Mar 16, 2001 at 06:44:32 AM EST

A globally mirrored set of LDAP databases would work very well for this. You enter a username/password once, any participating web site would query this on login. Nice side effect is that you automatically have an account at any participating site. The database could also be configured to store other information about you, email address etc.

Of course there are down sides to it, someone only has to figure out/crack one password to get access to all your accounts, but that would be a problem with any single user name / password solution. And there would be nothing to stop you still having a number of accounts to choose from.

There would have to be a certain amount of trust involved between you and the organisation who owned the database, but this already exists to an extent for each of the sites you visit.

orlando...

I've got accounts everywhere; and I'm tired of it | 54 comments (45 topical, 9 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!