The entire concept of usernames that are unique and permanent is stupid and even "cruel". The reality is that a relatively small handful of privileged early adopters get good usernames that match their identities, and everyone else gets screwed. These identifiers then act like tatoos that you got a long time ago and are stuck with for the rest of your life: people end up reminded every day of a sport they can no longer play due to an injury ("hockeystar") or loves lost ("iheartjessie"), attached to a joke that is no longer funny or to a thought that they found adorable as a 13 year old (when you are legally asked to "choose a username": a modern era coming of age scenario) but which adults find inane, or to a nickname that means something different than you realized to some people and now can't change.
The reality is that there are almost ten billion people on this planet and they live for upwards of a century. You are simply deluding yourself if you think it is reasonable to build a system with unique, permanent usernames. Nothing in the real world works like that, including trademarks. And it just helps enforce the very problem that people try to trust usernames and then get tricked by people who sniped usernames that are tied to other peoples' well-known identities (leading to abused "verified" badge systems and legal challenges and expensive hostage scenarios... it just sucks).
And for what? To make it easier to hand-type a URL? Does anyone even do that? I am super technical and I barely even do that in 2018, as if nothing else there are too many websites in existence to remember all of their one-off URL schemes. Like almost everyone, I either use the site's built-in search feature or I do a search on Google to find people, and let a combination of page rank and personalized results guide me to the right destination. Some web browsers don't even show URLs anymore!
Here is a great example of where it is completely insane: Facebook. There is absolutely no good reason for that website to have usernames for regular users, and they frankly shouldn't have usernames for businesses either. It isn't even clear to me that the app--which most users are using, not the website--even has a way to show people's usernames, which means this is an identifier which somehow everyone knows must be chosen and must be unique and is nigh-unto permanent but which somehow is also simultaneously meaningless but is also a horrible point of contention? What?
I am lucky. I spent a bunch of time in 1994 to select a username, and despite being 13, I was mature enough to come up with something that wouldn't ever come to cause me complex problems. People ask me what it means, and it essentially doesn't mean anything: it has only a positive connotation to me when I hear it, it is entirely neutral, and it had no existing usage I could find. Yet, I also still got screwed, as I am semi-famous, and everyone knows me as this username. I have kids who look up to me enough to want to take my name as a show of support and I have to essentially be the big bad asshole about it because in a world of unique and permanent usernames, people then assume the kid is really me. On the other side, I have been asked to rename myself by moderators of various forums as they couldn't believe the real saurik got an account on their site, and it was "confusing" people.
And so in the end we all have to deal with the worst-case scenario anyway: unless you do nothing but sign up for random sites rumored to be interesting constantly (which I seriously tried to do), you eventually will succumb to needing a way to prove who you are on multiple sites and tie together those identifies. And for most users... as in virtually all "normal users", that moment comes when they are using only two websites, as their username was probably something like jay.freeman.178 as everything that was even remotely interesting to them was taken a decade earlier by literally a different generation of humans, so they let the website automatically generate one.
In a world where everyone is having to solve the worst-case problem anyway, every site should just have numbers as unique identifiers, at most have some kind of trust score for degrees of separation on the site (so you can get a feeling for "is this the saurik that I met?"), and everyone should be trained "names don't matter and if you see someone with that name it doesn't even slightly mean that they are the same person you met last week".
So that you can be identified? (I'm not talking identified in a mathematical sense, but in a informal conversational sense (you know, what usernames are actually used for)). The whole point of a username is that it is the most humanly convenient way to represent a user in text in the context of a certain site.
Because the alternative would be to have thirteen saurik in the same thread debating a topic and you would have no way of distinguishing them. Avatars are an attempt to fix that but it sucks and is bloated for many scenarios.
Sites that do allow you to change username break conversations where people refer to each other using the username (stackoverflow comments are a really common and annoying issue)
Yes, it is annoying when you don't get your first pick but it truly is not a big deal and it solves a real problem.
jay.freeman.178 is an excellent username. You are not your username.
People can change their legal names, I see no reason why they shouldn't also be able to change their user names.
The problem with breaking continuity in forums and other similar networks can be mitigated via dynamic user name lookups (eg how Facebook does `@` mentions - however I have also seen some forums do this as well), supporting in line quoting (like how message boards often work), nested replies (HN, reddit, etc). Granted there will still be occasions when references slip through the net but us humans have a remarkable ability to deduce the context of the written word even when it doesn't always read perfectly.
I have not seen dynamic user name lookups work well in practice though, where the system has made it convenient enough to actually be used consistently. A different approach might be to leave the name as is for past conversations but use the new name for new interactions (and some way of showing the past name, xxx (formerly yyy) for new posts and xxx (now known as yyy) for past posts) - as is quite common that people manually do in the real world (and on facebook). Not perfect and quickly gets complicated.
I'd argue that a username does not have the same function as a name. My name is not an identifier and most have not chosen their name - which is also why (I believe) the first name change is free of charge where I live. In most cases you can also create a different account. Depending on the type of service this might not be desirable but in others it is exactly what you would want.
Slack handles this quite well actually. I know a lot of people dislike Slack for a lot of valid reasons, but they handle a few things right. If I type a message on Slack saying "hey, @alice, what's up?" then "@alice" gets replaced with the person's real name "Alice". When I send the message, the "Alice" bit in the resulting message becomes a link that will open the user's profile. Additionally, if "Alice" ever changes her name OR username, the name updates accordingly.
I agree with you about the identification part. I was wondering whether we could have a user friendly way to have a system of usernames + "something else" that allowed usernames to not be unique while still solving the identification part.
A possible implementation would be to allow the user to give a "nickname" to add to usernames he wants to identify uniquely that would be visible only for them. For example since I talk now with you I could add to your username "user with whom I discussed identities and usernames" and this (or a short version of it) would be shown next to your username from now on.
A more automated way to do this is to create a unique image for the user based on the content they have posted, when they created their account, not so personal but requires less effort from the user, I'm sure such systems exist in many sites to create avatars. Obviously in this machine learning times we could get to do sth much better.
The former battle.net (now Blizzard App) does what many games do and has the form "Username #XXXX", where the xs are digits. So you can be Frank #0001 and I can be Frank #0002. Steam allows you to tag people on your list with user created descriptions. There are definitely applications out there that make this kind of user experience a priority, I feel like the gaming world is ahead of the curve on this point.
Steam also allows you to change your publicly visible username more or less at will.
There's one "account name" which you pick at sign up, use to log in, and can never change (as far as I know), but you can then pick a "user name". The "user name" is what gets shown in any interaction with other users (forums, profile page, chat, in games, etc) and IIRC it doesn't even need to be unique.
Tagging people on your friends list is a great feature to match, since the tags remain when the tagged user changes their user name, which some people do quite often (whether for a joke or just because they got bored of the old one).
It really seems like a great system and it'd be nice if other systems offered the same degree of flexibility.
Steam has some poorly thought out shit; it has four identifiers, three of them unique:
1. Username, used to login, not visible elsewhere, unique and security related.
2. SteamID, id number which is visible elsewhere and used in their api fairly often; not too different from the username other than being public
3. UrlID - by default a "steamcommunity" link to the user's page is their SteamID, but it can optionally be edited by the user to a custom url. This ID is a globally unique namespace. For example, https://steamcommunity.com/id/gaben
4. Display name ... Yup, the display name. Arbitrarily editable.
Having that many things is dumb. Having an editable url component is dumb (it shoulda just been the steamid forever).
A combination of username, steamID and display name completely understandable in my opinion. User shouldn't be forced to login using a randomly generated ID, but something he can remember and has the option of being private by being able to use the display name.
UrlID can be beneficial for the user so the user can choose a easily spellable identifier for the URL in case he needs to share the link often using voice.
Seems like an optimal system except that the UrlID probably is only a use case not that often. But it still won't really hurt anyone. If it wasn't the URL ID it would be steamID, which does nothing to help to remember the URLs. So why is it poorly thought out if it gives benefits to some usecases without making anyone else worse off?
Would you rather be xXTheRealMrGuyoramaXx or mrguyorama_123 instead? I really don't see how it's that different. It solves the problem of first come first serve, without forcing people to come up with the random meaningless bits themselves.
But now the onus is on other people to create a name for everyone they might interact with regularly. So instead of each person creating one name to denote themselves, each person is now creating multiple names to denote everyone else.
And I don't really see how this is functionally any different to adding digits to the end of your normal username.
In Steam it is actually the case that a user can select their own display name (distinct from the account name used to log in) and change it at any time (and there's very few restrictions on what you can set it to, the system doesn't care if every single one of your friends has the same display name).
This function is separate from the "tagging" feature, which is helpful for keeping track of those friends who frequently change their display names and avatars. It's also possible to view the list of previous display names a given user has had, at least if you're friends with them.
If you're referring to the tagging on Steam, it's in addition to the regularly displayed username. If you're not, I guess I'm not sure what you're talking about.
Asymmetric keypairs, where your nickname is associated to your public key. It's the only reliable way to do it across multiple sites. But then you have a keypair to protect.
> A possible implementation would be to allow the user to give a "nickname" to add to usernames he wants to identify uniquely that would be visible only for them. For example since I talk now with you I could add to your username "user with whom I discussed identities and usernames" and this (or a short version of it) would be shown next to your username from now on.
That sounds a bit like SDSI & SPKI's nicknaming functionality. Entities were identified by keyhashes, but you could (and in practice would) give them nicknames or use others' nicknames for them.
> Because the alternative would be to have thirteen saurik in the same thread debating a topic and you would have no way of distinguishing them.
In the real world, people almost always go by their first name, and we don't have this problem. When two people in a social circle have the same first name, we don't turn and say "well everyone has to use their whole name, always, now." Rather, we adjust our names (usually someone gets a nickname, or goes by their last name).
The steam system allows multiple people to have the same display name and it works just fine. Sure, people can troll with it when they join your tf2 server (and then you kick them off).
The blizzard system also works great. The unique identifier is there, if all other forms of attempting to add a friend fail, but mostly you end up working contextually.
In the real world we have faces/voices/personalities etc. and an insane amount of context that we associate with a person, in most cases two people can have and use the same name and there won't be any confusion because the context is trivial. In written form this information is greatly reduced. This gets increasingly apparent on the internet where the number of participants can be huge and the time spent with each one minimal.
Your examples are games, which greatly limit interactions both in number of people and in time. I don't jump in and offer help in a game that ended 4 years ago. Everything is already in a very specific context.
It is often desirable for the username to be consistent across the entire site, if you recognize the username you remember past interactions and conversations which gives you a better context. This is a valuable part of a community.
Sure, there are places where you deliberately want to maintain pseudo-anonymity, where you'd get a new username in each discussion. But that's something else.
My name is Cory. Despite sharing that name with 120k other people in the U.S., occurrences of misidentification due to having the same name as somebody else are very rare and usually often resolved by merely using my last name instead.
If your apps' users report problems with identifying people, just allow users to add more specificity to their username. "People always get me confused with this other user 'chairdude', can I change my display name to 'armchairdude'?"
If thirteen 'saurik's want to have a fun time and create a confusing discussion thread together, so be it.
And unique usernames don't solve that problem either. If I know a guy named "Mohammad Mohammad" and I want to find him on LinkedIn, I already don't know his unique username should he have one.
If I know him in person and ask for his LinkedIn, he can just send me a link to his profile. If Mohammad is advertising his LinkedIn presence, again, he can provide a link to his profile. Adding in unique usernames doesn't help much in this case.
I've actually not signed up for services at all because the couple username variants I tried were already registered.
I was also recently annoyed at being forced to switch to a new system for my credit card, and it's a unified system with all their other cards and banking customers, and still uses "username" (instead of email) as a login, so of course my name was taken. I decided to just append some random characters, and then realized I could just generate my entire username and have been doing that since, when I don't care about identifying myself to others. My password manger saves it, so it really doesn't matter to me.
> then realized I could just generate my entire username and have been doing that since, when I don't care about identifying myself to others. My password manger saves it, so it really doesn't matter to me.
Even better, if they have your email and use it for password recovery, you can basically turn it into a two step authentication by not saving the password and using password recovery every new time you need to log in. Though, that can get annoying if their password recovery takes a while to send.
Assuming an attacker can't know your information is not a good idea.
Your login information can be gained via keyloggers, network sniffing, phishing scams, malware, malicious employees, and all sorts of other methods..
This is why two-factor authentication is so important, to help prevent your account from being compromised in the event that your username and password is.
The part I don’t get is how not knowing your password makes the situation worse. The password recovery mechanism exists whether or not you use it every time you log in.
The way I see it, not knowing your password removes some potential threats around managing that password incorrectly, at the cost of increasing the risk of losing access to your account if the recovery mechanism doesn’t work.
As your sibling comment correctly inferred, this would hopefully be done after setting some sufficiently hard random password on the service in question. At least that's how I've seen it described by those here that have mentioned they do it.
A sufficiently large random unknown password is actually significantly less likely to be brute forced than the service itself is to be exploited.
I'm toying with an idea of a SMTP proxy service so you could have a SMTP server on your smartphone. I would like to use Let's Encrypt certificates so my service would be just a dumb pipe.
Then you could register using random email for every service. SMTP would handle signal outage as message would be eventually received. Or one could set up secondary SMTP server in DNS.
I would like to give an option of subdomains handling. So every email would be on different subdomain. That would make blocking easier.
So you would have addresses like:
foo@mjlptle3sq.emailproxy.net
It would only be for receiving.
I know that there are lots of options already: 20 minutes mail, user+whatever@gmail.com or just a catch-all. But this could at least provide somewhat end to end encryption.
The idea of having easy to use single-use email addresses is good, but I don't think it's practical to run an SMTP server on a smartphone (you need the relevant ports open and forwarded through various NATs) and email anonymisers are already banned from signup on many sites, so *.emailproxy.net would quickly be, too.
If you're serious about this, consider running UUCP as the mail transport. It can be tunneled through SSH easily (or have TLS applied to it with something like stunnel), allows either end to initiate a transfer of data (assuming open ports), handles dynamic network addresses easily, and will likely be a much smaller drain on mobile phone batteries.
Plus it can allow sending and receiving of email and files, if you so choose.
I was thinking about dedicated application on phone for it instead of regular mail client. Mainly to provide easy interface to manage big amount of accounts, banning hosts etc. Also then the app could just use service like Google's Firebase Cloud Messaging. That would wake my app and then it would get a message. I hope that it is fast enough that a sending SMTP server would not timeout.
Backup MX servers do this every day. One of the commonuses of differing MX priorities is to provide a backup MX server to accept mail on the behalf of your mail server if it is overloaded or unavailable. This has been used in the past to provide reliable mail transport to mail servers that are not always connected.
One downside has traditionally been that backup MX servers were generally much less stringent in their connection level spam filtering/blocking (since the downstream server is generally responsible for that, and they may be a backup server for multiple downstream servers), so it became common for spammers to send directly to lower priority mail servers to take advantage of this and bypass a lot of that active filtering at the eventual destination. Expect a lot of spam to queue up.
In your case, you actually would control the backup MX and the eventual destination (if it indeed is a separate SMTP server), so that's less of a problem. You could just put a pretty harsh timer on the queued mail, and throw it away after 24 or 48 hours. Then again, you could probably do all this almost identically by replacing the SMTP server run on the client device with an IMAP client, and just have delivery end at your server.
It seems that the EnvKey app/service does this. You only register with an email address, and if you need to log in to the app, it will email you a one time password to use.
Nowhere near as inconvenient as it sounds - It is the sort of service that you would rarely log in to. Mainly when setting up a new server or adding a third party service to your list of environment variables on your server.
I can see that for a service that you would use several times a day (Twitter etc.) then it would be a major PITA.
True. Long running sessions would help. There are those that would argue it is a security risk though.
Even EnvKey that I mentioned above has a session cookie of some sort - I can usually use the app for several days after logging in, even if I close the app - but after that I am prompted to instigate the email with my unique login key.
It would be nice if we eventually got to a point where control of whether a password was even allowed, how long your session cookies lasted, and the ability to list and invalidate all existing sessions was as common and expected as a password reset system.
Although I disagree that it's two step authentication in the general use of the term, I actually built this type of authentication flow into Remarkbox (https://www.remarkbox.com)
It works really well for most users although it does have some quirks.
How is it not, even in the general use of the term? Instead of site username and site password plus a separate token to a previously agreed upon authenticated service (whether phone or email account), it's site username and site account email (hopefully hidden), and a token sent to a previously agreed upon authenticated service.
If your account name and associated email is known, it's not really better than a username and password (except that it's delegated to what should be one of your strongest accounts that you protect more diligently), but if the email is not generally known for that account name then it's extra identifying information that must also be known to access the service account.
High quality speech recognition is ubiquitous in phone services these days so that isn't a good reason. Besides, if I want to set a 16 char password and am willing to enter that on a keypad, what's the problem?
As banks have merged and eaten each other over the years, I've ended up going from four different website to log into to one website with four different usernames.
There's no way to merge the online accounts, even though the banking accounts are merged and I can see all of the financial information from each no matter which login I use.
I found a way to change it and it still worked last time I tried.
You must install Facebook Messenger. I am using iOS, don't know if the Android version is the same.
Keep in mind that your old username will no longer lead to your profile once changed. For me this was exactly what I wanted but for some they might want to not change their username after all due to this.
In the Facebook Messenger app, tap your profile picture in the top left corner. This brings you to a screen with the title "me". Right under your picture it will say "username m.me/yourusername" where yourusername is your actual username. Tap on your username and select "edit username".
Once you've changed your username in the Facebook Messenger app your identifier on Facebook itself will change also so now when people go to your Facebook profile on facebook.com in their web browser they will see your new username in the address bar.
Figuring this out was actually very difficult, as most information online claimed that your username could not be changed.
Because it somewhat seems to me that Facebook also don't want people to change usernames I ask that everyone who reads this keep that secret. HN pages usually don't rank highly on Google so mentioning it here shouldn't matter too much.
If any Facebook employees read this, please either
a) Make it easy for others to find out by updating official documentation, or
b) Make it easy to change from the main facebook.com application, or
c) Forget that you saw my comment.
As I'd like to be able to change my username in the future as I have done in the past.
That does mostly work ( I only have a FB page with a ficticious name, which I change from time to time ) but it leaves a trail of the old names here and there.
For example when I send a photo by Messenger it is attributed to my ( n-2 ) name.
One could probably infer something about the state of Facebook's architecture from further study.
> In a world where everyone is having to solve the worst-case problem anyway, every site should just have numbers as unique identifiers...
ICQ did that. Though it still led to interesting results, because lower numbers were thought to be more valuable, and people were buying/selling those.
Perhaps a random numbers with the same number of digits or UUIDs may work without such issues. :)
I remember my ICQ number, not used since 2001
I remember my compuserve number too -- 101611,1220 - not used since 1996. I remember our first phone number as a kid, 818641, which we changed in the early 90s too. I recall friends numbers too, and a bank account I had from 1993 to 2004.
However my slashdot number, which I've had nearly 20 years, I know nothing more than it begins with 2.
The modern numbers I remember are my mobile phone number, my wife's, and my passport numbers (phone numbers as we've had them over a decade and all of them because I have to write them on forms so much). The only other numbers that spring to mind are my staff number at work (used in various forms, had since 2003) and my bank numbers (needed to log on)
If you use a number a lot, you learn it. If you don't (like usernames which are saved) you forget it. I can barely remember my credit card pin as I use contactless so much, but muscle memory seems to work there.
Indeed. When I was hunting for ICQ numbers (see my other post how I did that) there were 2 golden aspects:
1) Short number.
2) Repeating digits like say only containing 2 or 3 numbers.
One of these was great, but both? Jackpot.
You could add a third factor: keypad pattern. It never occurred to me I'd use keypad to remember the number TBH, but IIRC one of my friends did care about that. I'm actually frightened by that option in Android I kid you not; I am frightened I forget the pattern!
Of my own numbers discounting the starting 1 (I personally did not care about that one but I know others did) one ended with 0's and the other one only contained 2 different digits with one being twice the other one. Extremely easy to remember.
I noticed that in many gaming related systems, this is already kind of the case. Blizzard appends random numbers to the end of each username in order to avoid name clashes, Steam lets you change your displayed username (although your account is still accessed through the old one), and so on.
UUIDs were also my first idea, but I have the feeling that sharing them (i.e. to invite a new friend) would be cumbersome. I wonder if a new system akin to what3words.com could help there.
Oldschool Battle.net had a 16 alphanumeric characters with underscore allowed and that was that. At least for Warcraft 3 it's been the case since 2002 for a very long time (until quite recently last year they allowed fancy symbols in usernames).
You also had to login at least once every 3 months or Blizzard purged your account.
Many people used @hotmail.com addresses back in the days (or other free e-mail providers) to register their ICQ number. Heck, you could even search for people on ICQ who were using @hotmail.com addresses. Eventually, those @hotmail.com addresses expired, and you could reregister them. Once you did that, you could recover the ICQ password, and bingo. The old UINs (what the UUID was called back then) were often not in use anymore (my memory is vague if I ever encountered one in use, I think it happened once and I struck a friendship with the one person who msged me). I traded many of these UINs away to friends. Even told some friends about the trick. I never sold them. Eventually the supply dried up.
The weakness lies partly in ICQ: they allowed to easily find all these people using @hotmail.com e-mail address and even showed this information. Sure, you could disable being part of this feature (IIRC it was called "yellow pages" or something akin to it) but still.
The other part of the weakness is exactly the very issue of domain squatting, username squatting, e-mail squatting or whatever you want to call it. I understand Microsoft wants to save space on their e-mail servers back in the early '00s but: former username should be frozen and their e-mail could be either bounced or silently rejected to /dev/null or whatever's the Windows equiv.
Blizzard's WoW has the rule that you you can only get a username from an inactive account. An inactive account is an account which did not play the previous expansion. That's their compromise. To be fair, it is not like people use WoW usernames for password recovery.
As for using numbers as username: that is what UNIX does under the hood, it is what Facebook does under the hood as well, it is what Blizzard's WoW does under the hood as well, and what T9 converts to as well, and ICQ did as well in contrast to MSN. Turns out people are lousy at remembering a bunch of numbers. So they resort to 26 character system of letters, or 36 character system of letters plus numbers. (Some services are more or less strict.) So, no, using numbers as human-usable UUID is not a solution but using it under the hood is totally OK.
The article does a very intelligent job of disentangling system identifier, login, and display names (and helpfully links to a discussion of the tripartite identity pattern†), which obviates a lot of what you describe here.
Yes, but it does not bother to motivate why people should use "tripartite identity" (and even that linked article doesn't really try to make an argument); and then it goes on to talk about why uniqueness is hard from a technical level, leading people to be responding with comments like "I just included a library in my stack or chose the right type for my PostgreSQL column that fully handled the case and Unicode mapping, so this wasn't a big deal".
The real problem is that unique and permanent usernames serve as tatoos (which people later may find to be humiliating or depressing), disadvantage late-comer non-technical users (who will almost never have a good username and almost never will have the same username on two websites), and lead to weird problems with assumptions people make about what usernames even mean (that they are a signal for identity) that are simply not true.
How would you handle making them non-permanent, though?
Expiring hotmail addresses have been problematic in many cases, and any unique lookup string will eventually be stored somewhere by someone and assumed still valid later on.
It's not even solved in full for phone numbers, despite everybody knowing they can expire and be reassigned - since long before our own lifetimes.
> every site should just have numbers as unique identifiers
Do you realize how impractical it is for users to remember these numbers for every site? Until we get to the stage where every non-English-speaking user and their grandma finds a password manager convenient, this proposal won't even pass the laugh test.
Don't underestimate the ability of non-technical people. Issuing membership numbers has been standard organisational practice for centuries and continues to work today for everything from airline loyalty schemes to international sports associations.
Case in point, I operate a service that uses numeric identifiers. Going by the helpdesk queries, our users are more likely to get their email address wrong than their membership number.
How often do your customers need access to these membership numbers, and how many such membership numbers do they deal with in their lives? If every service they used did the exact same thing as you do you think the error rate would still be so low?
And how often do they forget their numbers (rather than getting them wrong)?
These questions might make sense to me if the notion of a membership number was some strange new construct that we should adopt warily until proven to work.
It's amazing the results you get from treating your users like competent human beings rather than idiot cattle.
> These questions might make sense to me if the notion of a membership number was some strange new construct that we should adopt warily until proven to work. It's amazing the results you get from treating your users like competent human beings rather than idiot cattle.
All this snark just to dodge obvious questions about your approach?
Your demands for additional data have crossed into crude sealioning. I already offered the key data point that represents our concerns, viz. that users are more reliably remembering their membership number than an email address.
Speculation on the potential scalability of this approach seems absurd given that membership numbers have been successfully used by organisations of every scale for centuries.
Speculation on the potential scalability of this approach seems absurd given that membership numbers have been successfully used by organisations of every scale for centuries.
The concern is not with the scale of the organization, but with the number of organizations a user is a member of, which has exploded since website accounts appeared.
It really hasn’t. The number of organisations that wish to track people for marketing purposes has exploded, with all the unnecessary account creation that goes with it. That is not membership, and these are not organisations worth your engineering expertise.
Well, before the Internet I would never have needed an account in a club race management system; I would probably just have used a bunch of unwieldy papers.
While I don't disagree that there's a lot of useless account creation, I'm still member of at least magnitude more of useful online accounts that I or my parents ever were offline.
I would propose that maybe they can't remember their membership number, so are forced to look it up on a piece of paper. Whereas they believe they know their email, and maybe make typos.
I know that whenever I have to contact a service for which I only have a long numeric number I have some reference handy to make sure that I don't fuck it up.
> Your demands for additional data have crossed into crude sealioning. I already offered the key data point that represents our concerns, viz. that users are more reliably remembering their membership number than an email address.
Speculation on the potential scalability of this approach seems absurd given that membership numbers have been successfully used by organisations of every scale for centuries.
> Do you realize how impractical it is for users to remember these numbers for every site?
That's really not an issue. It isn't much easier to remember that I'm "John28161" on a busy site. Websites have been offering "I forgot my username" functionality for ages, so as long as you remember your e-mail address, you're fine. Also, just let users bookmark their personal profile page (foo.site.com/user/83755567565) easily and it's solved even if cookies are deleted. Apps won't have a problem either way.
The number is not confidential, so people would not have to remember it, nor would they have to use a password manager.
Digits are much easier to spell over the phone than a mixture of letters and digits.
People are used to identifying themselves with a sequence of digits. If you're dealing with the tax office, the water company, the electricity company, or whatever, you get asked for your customer number, your meter number, your reference number, and so on, and usually these consist mostly of digits. Sometimes these identifiers are way too long, or several different identifiers are unnecessarily used, or the same sequence of digits is confusingly referred to by several different names ("customer reference", "account number", whatever), but those are separate problems.
> People are used to identifying themselves with a sequence of digits. If you're dealing with the tax office, the water company, the electricity company, or whatever, you get asked for your customer number, your meter number, your reference number, and so on, and usually these consist mostly of digits.
It's not a level comparison though. You don't need those numbers often, and when you do, you have all the resources you need with you, and it's not urgent. You generally need those when you call customer service, which you only do when you're at home and have time to spare. But if every email, messaging/social networking app, bank, credit card company, shopping site, etc. required me to go hunting for a 10+-digit number, I wouldn't have any trouble understanding it, but I would get fed up pretty fast.
That's why we need biometric hardware everywhere and use its data as a login, not as a password. Bio data is mapped onto a long UUID and user just sets whatever username he wants to be displayed. We even have means to smoothly transition from no hardware to 100% coverage - just allow manual UUID input for systems where biometric is unavailable - e.g. you have a pair of face/ID on the phone, fingerprint/ID on laptop and just ID on PC.
You keep your UUID as a backup. The fingerprint system on my phone still has an option to log in with password, the fingerprint is just a convenient, faster alternative. It's the same here, you keep the UUID in a folder with other sensitive documents and when you lose your finger, you fish it out, log in with it, and register another finger.
You'll have to remember multiple UUIDs, one per service. Now that I think of it will be rather cumbersome. And bio data has to be editable if it will be usable at all i.e. add/delete new entries - fingers, eyes etc. Damn, it is harder than it seems. Anyway, bio data as a login should be implemented, we only need to think exactly how.
How? UUID will be different per service. Anyway - it won't be worse than current single (2-3) email as a login to everywhere, of facebookID as login to everywhere.
That number is the value Google currently uses to identify accounts. 100001702987293 (Facebook’s) is still too long.
And in either case, someone will end up with huge, unwieldy numbers. By using ascii identifiers, they’ll be 3 times shorter, though. Facebook’s number is just "WvN1+8Yd" in base64.
And at that point, why not allow people to choose identifiers? John.Doe.123 is still much more readable than 100001702987293
I wonder what happens if you still get to choose a username, but the service appends at least 3 digits (randomly; the first doesn't get 001; in fact let's say nobody gets a number below 101), and does some mangling especially for really short usernames (appends something or prepends something).
This gives every 'username' an effectively unlimited space of identifiers via the number suffix, and it trains users to realize that 'person who controls the account with username X' is not necessarily the same person as 'person who I know on other sites as username X'.
Discord (and I believe Blizzard/Battle.net) does this. Your site-wide username would be something like Example#5436 but on individual servers you can be tagged with @example
When Google introduced account names in G+ (separate from gmail account names), they started by doing this. But I suspect it was a fairly big turn-off for people who are used to getting their usernames.
Alternatively, the service provider could implement a procedural jingle generation system to produce a short, catchy customized song to help them recall the number.
Counter point: My grandma could easily memorize her own phone number - and all her friends phone numbers. ICQ also survived for years with numeric identifiers.
Though yes, i agree that once the nr of accounts start going above 1 or 2 a password manager will be required.
Password managers really do need to be forced on people, not only because of unsafe password issues but because of username issues listed in the OP as well.
Use a paper notepad. Generate passwords by opening a dictionary at random for 3 words, with a random number at the end.
It’s not as good as, say, 1Password but it’s more likely to get used. Combine it with the browser or OS level password manager. It’s good enough for grandma, definitely better than “kitten4” that she’s currently using everywhere.
On a tangent, stereotyping this as “grandma” is a bit unfair. Most of my colleagues are college educated males in their 20s, some of them developers. And their passwords are rubbish, with no password manager, and no 2fa.
Aside from how painful that sounds, paper notepads can easily get lost. And if she's out and wants to check stuff on her phone (or trying to check her bank account at my aunt's home, or whatever), is she supposed to carry it all around and risk getting it stolen? If that's the implication, I'd rather she just have kitten4 at that point.
(And re: the grandma thing: it's nothing specific to grandmas, it's because the moment you suggest your audience is "college educated developers in their twenties" as in your case, people throw the notion of UI/UX out the window and recommend you suggest they compile their own kernel first. It seems you just can't win.)
If we make a crude risk assessment, it is way more likely that her account will be randomly hacked by a botnet if she has "kitten4" as a password than someone actively stealing her purse to get her passwords. And if the notebook with passwords was stolen/lost, she would at least know it and be able to take preventive measures.
For most people, writing (good and unique) passwords down in a notepad is a way more secure system than having the same bad password for every account.
Having a botnet guessing the random "kitten4" password for a random user account, is as likely as having your purse stolen for the passwords on that note. FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication, even if you allow brute force attacks. Imperically speaking, obvisouly it's going to fail in the end but I hope you get my drift.
> FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication
This is very counter-intuitive. Is the idea that guessing both the username and the password together is much harder than guessing the password when you already know the username?
In the kitten4 example, I would guess most botnets are working from a list of usernames/email addresses that they got from leaks.
We are obviously talking about a different stereotype. My “grandma” already keeps various notepads - recipes, appointments, address books. And she never has an urgent need to check her bank account while at Auntie Rita’s. As such, this fits her needs and workflow.
Yeah. In fact most likely, she's already written down "kitten4" in a notepad somewhere, because she doesn't trust herself to remember. So asking her to use a slightly longer password is not a massive change.
That's what my grandpa does. After failing to find his gmail address in it, he went through the "forgotten password" process. Then, after needing it the third time, we found the old password in the notebook, which was now wrong...
Xkcd's classical correct course battery staple is about 40 bits is entropy, while being selected uniformly at random from a fairly large pool of words.
I can assure you that the average user wouldn't get above 15 - 20 bits with self selected words. That's often worse than most current passwords.
Anything using cheaper/more common hardware? so the user doesn't have to buy new hardware and switch ecosystems just for the sake of being able to manage passwords? (i.e. anything PC/Android?)
I mean, if you agree that the only option for mass adoption of password managers is to get people to shell out $$$+ for new hardware and switch ecosystems, I rest my case.
As developers we might be used to paying 100s of euros (or signing up to a contract to effectively do the same over time) on a phone, but the point is $grandma may not be willing to spend even 20% of iPhone budget (and definitely not replacing it by the time OS updates end)
There's a case made that statements like "so my grandma can use it" is (unintentionally) implicitly agist and sexist -- Grace Hopper worked in computing until her death at age 85.
I use KeepPassXC and the Android app and just email the database to myself if I update it. Not very elegant, but I couldn't think of an easier way.
I tried using Google Drive to sync it up, but Drive is useless for this - it doesn't open the file using the right intent on Android ("file type not recognised" or something similar it says, this used to work as well) and the Drive website makes it a pain to upload an updated file even from the desktop using Chrome.
Emailing your database to yourself after every change sounds... very painful. And error-prone.
In my case, I use KeePass 2 and KeePass2Android with Google Sync and it works decently well (I would recommend you try this). I would never recommend it to non-technically-minded folks though.
Nah, doesn't hurt at all :) The db doesn't change often so isn't a big deal.
Sync looks to be for Google-domains/business only. In fact Wikipedia says it has been discontinued! I used to sync over owncloud and that worked pretty well, but the provider shut down and I haven't gotten round to setting another up.
I'm confused, would you mind clarifying? What is for Google-domains/business only and has been discontinued? I'm using the software I mentioned with a regular @gmail.com account and it syncs fine with my Google Drive. I don't have gSuite/a business account/anything else.
You weren't talking about this? https://en.wikipedia.org/wiki/Google_Sync - I guess not. I think the sibling poster cleared it up though, the app I'm using is pretty old and doesn't integrate well any more in Android, there's a newer Keepass app that works with Drive natively.
Ahh! I have been using Keepass Droid, since I was using Keepass v1 files. For a long time Ubuntu LTS didn't have a good v2 client. A while back I upgraded my database to v2 on Ubuntu but stuck with KP Droid on Android. Maybe time to change app, thanks.
Interesting... that actually works fine? What happens if you make an edit to your password database on your phone, and then make another independent edit on your PC, and then they both get a chance to synchronize? Do they both persist, or do you lose one?
I can't honestly remember, it either lets you choose which file to keep or creates a copy. Might be that Dropbox and Nextcloud even behave differently. If I edit the file on mobile, I make a point of triggering the synchronization right after to avoid the problem.
If you're on Android, Keepass2Android [1] is an excellent app that implements the input with a special keyboard. This avoids risking your password via the clipboard. It even comes with a no-network-permission version!
I use Dropbox. I haven't actually tried that case since I rarely change my database from my phone. That said, I have had conflicts between two computers, but KeePassXC's built-in merge tool have fixed those nicely.
Being unable to move past an old username without having to give up your history is rather uncomfortable too.
During my freshman year of college a particular sandwich shop hired a spokesperson who shared my first name. One thing led to another, and the name of that shop became a lasting nickname.
Unfortunately that spokesperson turned out to be quite a monster, leaving me in a bit of an awkward position on sites that don't allow username changes.
Don't worry about it, Jared. No one thinks you're a creep, and if you create a new account, you're only sacrificing internet points, which are worth even less than bitcoin.
> And for what? To make it easier to hand-type a URL? Does anyone even do that?
This dilutes your otherwise excellent point. URLs are great when done right and lots of people prefer them to the sites search functionality. But that is entirely orthogonal to identities, which barely ever need to show up in a URL. (Unless treated as permanent and uniquely attached to physical people, which we agree they should not.)
> Here is a great example of where it is completely insane: Facebook. There is absolutely no good reason for that website to have usernames for regular users, and they frankly shouldn't have usernames for businesses either.
Uh, Facebook doesn't have usernames, and haven't had usernames for as long as I've been able to be a member.
There's an option to grab a unique identifier for your personal page, so that you become https://www.facebook.com/identifier, but it's completely optional, it's just a vanity thing.
Same for groups, they can grab a unique identifier, or stick to their auto-generated id.
Yes, but they're not required, you can't use them to login, and they're not displayed to other users. They're only used to create a nicer URL for the static link to your personal page.
Well, it adds an air of authenticity when everything lines up right as you just the validity of a page. Let's assume for a moment you were the type to look for support on Facebook for your bank, and you looked wherever for "MyBank Facebook".
First two results are:
facebook.com/mybank
facbeook.com/mm48283df884
Which is the "real one" based just off this information? How do you know that when you message one of them you're getting the actual bank and not a fraudster?
It's not just vanity, people do check these things, not all of them savvy enough to continue researching. Just peek at "safe browsing tips" you'll see from tech rags online and it's pretty clear we do a poor job of educating people about proper vetting online, so you get people instilled with dogmatic understandings of security. ("The URL clearly says Mybank, so it's the real one." "Google actively removes fraudulent websites from the top hit, so it must be the real one", etc)
It sucks, but it is important to try to control for such errors.
Around 2009/2010. I actually set my alarm for the time they opened them up, which was the middle of the night for me. My wife managed to get her first name as her username. Worth it for 10 minutes of interrupted sleep!
I was lucky enough to get a 3 character Instagram handle back in the day. I get 5+ password resets a day and frequent offers for it - the most I've been offered is $25,000 for it. It's a pain.
It occurs to me there's probably a whole industry built around snatching up interesting account names for all the new services in the hopes that one might make it big. It's slightly complicated by the fact that different norms develop for different platforms (e.g. @realDonaldTrump on twitter because of what I assume were satire accounts).
There are probably people out there with spreadsheets full of service types, account names and passwords of accounts they control that include all the two letter to four or five letter company names, and many celebrity names, just in the case that someone wants to pay for it. The domain name game, just evolved for the current climate.
I mean, it would take me less than $25k worth of my time to build something to automate this, even if I had to get rotating IPs, mobile accounts, and have mechanical turk to solve CAPTCHAs (although with all those features it might be close), and you were offered that for one account.
More generally, only very rarely should canonical identifiers for computer use ever be meaningful to humans. The (potential, and conventional and UI-encouraged) meaningfulness and tree structure of the HTTP URL path component has probably contributed seriously to the Web's link-rot. Having a tree-structured, human-readable name at the top of the browser window is great! It just shouldn't be the URL.
This was solved within corporations to an extent 50 years ago. Institutions that used IBM mainframes tend to use an id of the form aaann where a is a letter and nn a number. An example is Matthew Garret's id "mjg59". Large corps still use something similar. You can have a separate mail address and aliases but they are not your id.
I joined a Big Dinosaur Company early enough that they were still using mainframe RACF as the system-of-record for authentication, flowing downstream to LDAP. So indeed I received, for example, dlg28 as my ID and stem for e-mail address.
However after several years the SoR was migrated to Windows LDAP ( can't remember its brand name ) and it generated 'sensible' IDs for all the newer staff. So someone received JimSmith as ID & e-mail address.
We oldies felt old and uncool! So a project introduced self-selected e-mail aliases for the oldies, which then led to interpersonal conflicts because jsm22 wanted JimSmith@, but the 'new' Jim Smith already had that... But jsm22 felt he had title to it since he had worked there 40 years etc etc So he was given JimBSmith@ which of course led to misdirected e-mail. Hilarity ensued.
I'd rather they had never introduced the long-form IDs at all!
To solve this problem in part, keybase exists. At its core it's a proof-of-identity service, with some fanciness on the side. Sure it doesn't fix the root of the username issue, but it helps a little bit, while having cool things like kbfs and kbp.
I'll give an example of a permanent username that you can't change: Steam. For obvious reasons, Valve is way too underhanded to do anything about this. Nothing malicious, just inept to try because there's just no competition to.
Does Facebook actually have usernames the way other sites have usernames? I'm Bryan Rasmussen on Facebook not rasmussen.bryan127 or something, and if I search for somebody by name they recommend lots of people with that name.
about the usernames for businesses I just spent some time being confused today because it turns out there is a Viasat in the nordic area, and I thought it was somehow related to the American Viasat.
No, the reality is that everybody got used to it and nobody cares. What serious pages are there where you could not just create another account if you start to being ashamed for what you have right now? This is seriously a no-problem and giving people numbers is the worst way you could go from here. We are not some kind of 70s science-fiction robots who would love to be called by numbers....damn sometimes I have the feeling that commentators on here are robots. Please go outside some time and ask real people what they think about the new genius idea that just came into your mind.
The reality is that usernames are seen as a computery tech
internet thing rather than a business thing. Unofficial, maybe even frivolous.
In business you have customer account numbers, bank account numbers, membership numbers, invoice numbers etc. There is no conflation with identity - you are not your account with your bank, gym or stationary supplier. It is only because of internet forums and login usernames that we have even gotten to this state of affairs in the first place.
Usernames (or internet aliases in general) were a routinely mocked part of internet culture by mainstream culture. People these days use services in spite of usernames rather than because of them. The president of the united states has 'real' in front of his name. Think about that. In no other medium do we have people asserting that they are the genuine person they are claiming to be. Its tautological.
Dunno, what decade were people making fun of usernames? Starting back when I first downloaded MSN/AIM, people were having fun coming up with usernames and trading them. Everyone at school. Everyone.
People weren't just tapping random key combos either. They were coming up with their own identities because that's what people like to do.
I can't believe these comments that think people are itching to be assigned a #Reference ID on the internet. For example, you also think the mainstream used internet message boards.
In business I have mainly my mail address. It's forename.surname@company This is the most common identification uniform. Pretty easy, looks good on your card and can be remembered by the client who knows your name.
Everything else you've listed is part of a identification procedure that happens mostly between you and a machine. Not between two humans (taking out the call center semi-human who needs to type that into the machine first).
Thankfully, for steam your username is not displayed to any other person. You have a profile ID (globally unique, alphanumeric, you can change as many times as you want), and a profile name (not unique)
Unfortunately for Steam, your login username is still displayed in some places like the top right of the Steam app and any computers you choose to share your library on.
It's also likely that they used the login username as a primary key, which means it's unlikely to be able to be changed anytime soon.
you can't change your profile id though. That's what's called a "steam id". You can change the URL (steam custom url) however. But accessing your profile with the steam id will still work.
I'd prefer user names which were changeable rather than numbers; but lets be honest, a numeric only system isn't without precedence: ICQ.
To be honest, given user names are just an arbitrary reference, you could probably also include phone numbers, IP addresses, social security, national insurance and house numbers into the list of prior art as well.
Not that I'm advocating the use of numbers instead of names. Twitter I think gets it right where they give everyone a number which is fixed but you can assign yourself a name; which can change. Most of the time people choose not to, But the option is still there.
I come from the ICQ time (...hell I still have it). The fact that you had a number, did not make it good in any way. At the same time we already had IRC where everybody had usernames and it was much better if you had to tell someone who you are. It is by far easier to remember. If I'd tell someone (in Germany) that my nick is Aluhut, they'll have a picture in their head instantly. If I'd tell them that I'm 13475456, they'll ask me to write it down for them.
You could argue your preconception point as a negative as well. To quote the GP:
> The reality is that a relatively small handful of privileged early adopters get good usernames that match their identities, and everyone else gets screwed. These identifiers then act like tatoos that you got a long time ago and are stuck with for the rest of your life: people end up reminded every day of a sport they can no longer play due to an injury ("hockeystar") or loves lost ("iheartjessie"), attached to a joke that is no longer funny or to a thought that they found adorable as a 13 year old (when you are legally asked to "choose a username": a modern era coming of age scenario) but which adults find inane, or to a nickname that means something different than you realized to some people and now can't change.
The best happy medium is a user name that can change. But so many places make them static (sometimes for reasons no better than they just made "username" the foreign key in their users table)
> I come from the ICQ time
Likewise; that's why I used it as an example ;) I think comparing ICQ to IRC is a bit disingenuous as they occupied slightly different use cases.
I never seen it as something negative. There are many letters/signs. There is creativity and Peter23 will always be only Peter at best. Changing a nick in IRC is as easy as joining a chan.
Most users have at least two email addresses because most of their mail is routed through email addresses like "PartyChick88@hotmail.com" but they don't feel comfortable putting that on job applications and medical forms.
It is a statistical certainty that people have missed job opportunities and subsequently defaulted on mortgages because they sent off a bunch of job applications on their "business" email address and then forgot to check it because they don't use it much.
One of the more common office security failures is to have your email client auto-fill to someones personal account instead of their company-issued account, resulting in sensitive documents leaving the auditable environment of the office email server.
Now for sure, it's not exactly up there with global warming and north korea, but I'm not sure I'd call it a "no-problem". It's a fundamental UX failure that we're only just now starting to see get fixed with email address aliases becoming a more widespread feature, and even that is just a patch. We've all gotten used to it, but that doesn't mean it's not a problem.
Well, the problem here is obviously not the nick but the inability of someone to drop an old email address or just forward it to another one. You don't have to have it in your mail client. You can manage that from the webinterface and never again login to that mail address.
I'm/was doing quite a lot IT support for friends, family their friends and so on and have never heard of anything like that. I'm also sure that the domain @hotmail.com would be enough to not get you a job on certain businesses.
> One of the more common office security failures is to have your email client auto-fill to someones personal account instead of their company-issued account
So...you are sending private emails from your business account? Again it's not the nick/names problem. The problem is your behavior. This is the root cause here and doing some make up won't solve your problem.
real saurik got an account on their site, and it was "confusing" people.
I have no idea who you are and don’t recognise your username. Was that whole rant just a humblebrag that you’re “internet famous”? Because here at least, no one cares.
You don’t have to be mean about it! The world is big enough to fit lots of people like you who have no idea who he is, and also people like me who think “wait, is that the same saurik from...”
Seems like a real anxiety, not just a humblebrag. I’ve felt the same way and my response is to just make up new names all the time.
One can be "semi-famous", as OP said, in small circles, Eg. chess, and you wouldn't recognize his username--but maybe lots of chess players would. I didn't see it as humblebrag anyway, since it was a true part of his points.
The reality is that there are almost ten billion people on this planet and they live for upwards of a century. You are simply deluding yourself if you think it is reasonable to build a system with unique, permanent usernames. Nothing in the real world works like that, including trademarks. And it just helps enforce the very problem that people try to trust usernames and then get tricked by people who sniped usernames that are tied to other peoples' well-known identities (leading to abused "verified" badge systems and legal challenges and expensive hostage scenarios... it just sucks).
And for what? To make it easier to hand-type a URL? Does anyone even do that? I am super technical and I barely even do that in 2018, as if nothing else there are too many websites in existence to remember all of their one-off URL schemes. Like almost everyone, I either use the site's built-in search feature or I do a search on Google to find people, and let a combination of page rank and personalized results guide me to the right destination. Some web browsers don't even show URLs anymore!
Here is a great example of where it is completely insane: Facebook. There is absolutely no good reason for that website to have usernames for regular users, and they frankly shouldn't have usernames for businesses either. It isn't even clear to me that the app--which most users are using, not the website--even has a way to show people's usernames, which means this is an identifier which somehow everyone knows must be chosen and must be unique and is nigh-unto permanent but which somehow is also simultaneously meaningless but is also a horrible point of contention? What?
I am lucky. I spent a bunch of time in 1994 to select a username, and despite being 13, I was mature enough to come up with something that wouldn't ever come to cause me complex problems. People ask me what it means, and it essentially doesn't mean anything: it has only a positive connotation to me when I hear it, it is entirely neutral, and it had no existing usage I could find. Yet, I also still got screwed, as I am semi-famous, and everyone knows me as this username. I have kids who look up to me enough to want to take my name as a show of support and I have to essentially be the big bad asshole about it because in a world of unique and permanent usernames, people then assume the kid is really me. On the other side, I have been asked to rename myself by moderators of various forums as they couldn't believe the real saurik got an account on their site, and it was "confusing" people.
And so in the end we all have to deal with the worst-case scenario anyway: unless you do nothing but sign up for random sites rumored to be interesting constantly (which I seriously tried to do), you eventually will succumb to needing a way to prove who you are on multiple sites and tie together those identifies. And for most users... as in virtually all "normal users", that moment comes when they are using only two websites, as their username was probably something like jay.freeman.178 as everything that was even remotely interesting to them was taken a decade earlier by literally a different generation of humans, so they let the website automatically generate one.
In a world where everyone is having to solve the worst-case problem anyway, every site should just have numbers as unique identifiers, at most have some kind of trust score for degrees of separation on the site (so you can get a feeling for "is this the saurik that I met?"), and everyone should be trained "names don't matter and if you see someone with that name it doesn't even slightly mean that they are the same person you met last week".