Ich bin Alice-Kunde und eigentlich ziemlich zufrieden mit allem. Ich habe DSL und eine SIM-Card. Das DSL könnte schneller sein (die 16.000 erreichts nicht) aber es läuft durchgängig. Das einzige was nicht funktioniert ist das Einloggen auf der Website. Und der völlig Vorschlags-resitente Kundensupport.
Auf dieses Formular falle ich regelmäßig rein:
1. Ich tippe mein Standard-Benutzername und mein Passwort ein und erhalte eine Fehlermeldung: Benutzername ist falsch. 2. Ich versuche es mit der Kundennummer: Benutzername ist falsch. 3. Ich durchwandere alle Hilfestellungen wie "Passwort vergessen" oder "Kann mich mit meinen Benutzernamen nicht einloggen" aber ohne Ergebnis. Entweder kommt gar kein Hinweis oder ich konnte nicht identifiziert werden. 4. Ich rufe die teure Hotline an und erfahre, dass der Benutzername meine Telefonnummer ist.
Damit habe ich zwei Probleme: Wieso steht da "Benutzername", wenn man eine Telfonnummer eingeben muss? Und: Ich habe keine Telefonnummer, weil ich keinen Festnetzanschluss habe. Mag sein, dass im Begrüßungsschreiben mal stand: Ihre (Pseudo-)Telefonnummer ist Ihr Benutzername. Aber hey, wer kann sich denn sowas merken? WARUM SCHREIBEN DIE NICHT EINFACH "TELEFONNUMMER" ÜBER DAS EINGABEFELD??? Und warum versteht der Support diesen Vorschlag nicht? Antwort war: "In dem Schreiben, das Sie erhalten haben, steht aber doch, dass Ihre Telefonnummer Ihr Benutzername ist." Ja, ich hab ja auch immer dieses Schreiben bei mir, wenn ich mich einloggen möchte.
Zwei Screenshots von einer Login-Box. Einmal im Normalzustand, und einmal mit Fehlermeldung. Auf den ersten Blick eigentlich ganz unauffällig - aber auf den zweiten Blick ... stellt man fest, dass rechts was fehlt. Und zwar genau das, was man braucht, wenn man Probleme mit dem Login hat. ;-) (gestestet mit Firefox auf Mac und PC sowie Chrome auf PC)
I was testing a near-completion Drupal website today, and noticed that I could not log in with Internet Explorer (8). Firefox worked, Chrome worked, Safari worked...so what was the problem? Turns out there was an underscore in the domain name, and that gave IE fits. I changed the subdomain to use a dash instead, and the login worked.
There, I have said. Passwords are indeed stupid. Why, you may ask? One cannot have a password, such as 'fluffy', and expect his account(s) to be secure due to dictionary attacks (the attempt to use every word, brute-force, in the English dictionary until access is granted). Thus, self-proclaimed security experts advocate the use of alphanumeric, multi-case passwords, such as '12@aE#4($32d*%ki'. Furthermore, no password should be used twice, which is exactly what most Internet users do. That is not a password, it is a character sequence, and it is next to impossible to remember. Should it be leaked, every account will be compromised. Since almost every website demands an account to keep track of its users, an ever increasing number of unmemorable passwords are necessary.
Some spell a password in leet speech--'e|\|c1cL0P43D1@' instead of 'encyclopaedia'. Leet speech converters exist. It is not an insurmountable task to translate a proper spelt dictionary into leet speech and use a brute-force dictionary attack. More-so, if an attacker knows personal information about his victim, he may segment the dictionary into probable sets of words for a password and increase the speed of the attack.
Software developers have come up with password managers. Agile's 1Passsword is the most popular password manager on the Mac platform. It can generate secure passwords, manage, and one-click log-in a user. Nevertheless, what if said user is using a mate's computer or is using a mobile device? Except for the iPhone/iPod Touch, that user has no access to his pass-character sequences. Even on the iPhone, the 1Password application is inadequate, not due to Agile's fault, because Apple's developing guidelines disallow the modification of Safari Mobile. Browsing must be done through the 1Password application. It is awkward and Safari features are missing.
Others advocate the use of SSL digital certificates. Secure communication with web servers is created with SSL certificates. When a user seas 'https' at the beginning of the URL in the location bar, he knows that data transmissions are encrypted from his computer to the server. In the same way, a user can identify himself to the server using SSL certificates. A certificate can be obtain for a fee or for free from Thawte and StartSSL for private use.
How does Thawte know who the user is? In order for the certificate to include the user's name, a driver's licence number or another form of identification must be submitted for a background check. Then the certificate is issued. When a server detects the certificate, the user is automatically logged-on. There is no need for a login-prompt. Unfortunately, the certificate must be installed on every browser of every machine, including mobile devices. One cannot use a mate's computer or a public computer at a library.
What could be a solution? Instead of passwords, one can use pass-phrases--It's nice to be important, but it's more important to be nice! Using proper spelling and punctuation is just as secure as '12@aE#4($32d*%ki'. Phrases are easy to remember. Dictionary attacks cannot be used on phrases. As long as the phrase is not a cliché, it is not popular, it is safe to use. Compose your own. It is, however, regrettable that websites are fixated on 'passwords'. Most password fields are 32 characters long, not enough to compose a phrase. Until websites accepted pass-phrases, we have to look elsewhere.
OpenID Login Prompt
One solution is OpenID. It allows one to create one account at an OpenID provider and use that identity on every website that supports it. An OpenID prompt is a text-box that asks for a URL--where the user's identity is located.
One-login services have been tried before, most popular, Microsoft's Passport, but they were universally hated because users refused to allow a mega-corporation to control their Internet identity. The beauty of OpenID is that one can choose his identity provider or run the OpenID software on his own server if he is ultra-paranoid. No mega-corporation will have monopoly on user's identification.
Most users already have an OpenID. AOL, Google, Yahoo, MySpace, Facebook, Flickr, WordPress, Technorati,Microsoft Live, and many others, are all OpenID providers. However, Google and Yahoo, have made the puerile move of not accepting OpenIDs created elsewhere, yet. Moreover, they advocate the use of buttons--'Login with Google', 'Login with Yahoo', 'Login with Twitter', 'Facebook Connect'. Google provides an ugly and long URL. Facebook and MySpace have not yet published their URLs. While a one-click login sounds wonderful, it turns the login prompt into NASCAR, a race-car with tens, if not hundreds of logos of OpenID providers.
OpenID NASCAR Login
How does it work? Bubba has an OpenID identity. He wants to register with BokayMe, a flowers site, which supports OpenID. He types in http://bubba.myid.net. BokayMe redirects Bubba to myID.net, which is his OpenID provider. Bubba logs into into his account with his username and password. Then myID asks Bubba if he wants to register with BokayMe and what identity information he wants to share--name, email address, birthday, etc. The user has the option to accept or cancel the registration request, after which, myID redirects back to BokayMe, where the user is logged in if he has accepted. From now own, the user never has to login again as long as he is logged into his OpenID provider.
Unfortunately, more moronic moves from Facebook, Google, and Yahoo may put some users at risk. They have not implemented it properly or tried to simplify the registration process. When a user of these providers is asked, 'Do you want to register with BokayMe?', only the options of 'Yes', and 'No' are available. The user cannot make an informed decision because the identity information BokayMe demands is not displayed. Maybe, the user only wants to provide BokayMe with his email address and not his phone number. Maybe, many of the fields are optional and not required and he can opt out from providing that information.
It is best to use veteran OpenID providers. MyOpenID was the first provider and has many features, including multiple profiles and SSL certificate support. claimID has a ton of features, including hCard support on the identity page. The developers are also very active on the claimID blog. In the future, they want to provide value-added services for a fee. Current accounts will be grandfathered in and will pay no additional fee. myID, along with its beautiful interface, has Korean language support and an easy to remember URL http://user.myid.net. VeriSign Labs Personal Identity Portal (PIP) has a confusing interface, but it supports many authentication methods from simple username and password to SSL, SmartCard, fob key. It is best for the ultra-paranoid. Along with securing websites with SSL certificates, VeriSign operate two of the thirteen root servers of the Internet as well as two of the generic top-level domains, .com, and .net. They are here to stay.
Lastly, myVidoop, my favourite OpenID provider has an innovative and secure login mechanism: no passwords. Instead, it uses a matrix of image categories that are easy to remember to login called Image Shield. One can choose 3-5 image categories for his login and 7 other categories to obfuscate his login categories or allow myVidoop to choose at random. For example, a user chooses cats, dogs, and aeroplanes to be his 3 categories. Upon login, he will be prompted with a matrix of images. The user has to type the letter next to the cat, dog, and the aeroplane in the text-box. Even if those letters are somehow compromised, after they were used once, they are useless. It is a one-time password making key-loggers ineffective. In the image below the sequence is 'MKC'. The images are never the same and they are never in the same position. So, each time a user logs into with a different sequence of letters. For added security, the sequence of cats, dogs, and aeroplanes can be enforced. By default, dogs, cats, and aeroplanes as well as any other permutation also work.
myVidoop Image Shield
Furthermore, myVidoop is a two-tier security. Even before the Image Shield is displayed, the browser must be recognised, not just the machine. If the browser is not recognised, myVidoop will ask how the user wants to be contacted, by email, by voice on the phone, or by text message. It will send a one-time sequence of 6 numbers which has to be input. From then on, the browser is recognised, and the Image Shield will be displayed if the user is logged out.
myVidoop Activation Code Contact Selection
myVidoop Activation Code Entry
Once used, the activation code expires and cannot be reused again. Thus when the user uses a mate's computer, the browser will not be recognised, and he will be prompted to be contacted by an alternate method, email, voice on the telephone, or text message with a pin number. Once the pin number is input, the user will see the Image Shield where he will type a letter for each category. The activation code is useful to prevent phishing.
One last feature of OpenID, besides self-hosting, it also supports redirection. So, if Bubba has a blog athttp://bubbaisondiet.com and wants to use that instead of http://bubba.myvidoop.com, he may by inserting the following lines in the header of his page. In the future, Bubba can use a different OpenID provider without losing the websites on which he has registered by changing the redirection.
Wenn Sie das Admin-Passwort für Ihren Rechner vergessen haben, muss dies noch kein Weltuntergang sein. Über Ihre Mac-OS-X-Installations-DVD können Sie Ihr Kennwort wieder zurücksetzen. Starten Sie den Mac von der DVD und halten Sie dabei die Taste [C] gedrückt. Nachdem Sie die gewünschte Sprache gewählt haben, klicken Sie im Menü Dienstprogramme den Eintrag Kennwörter zurücksetzen an. Nun können Sie für die Benutzer des Rechners neue Passwörter vergeben.
Den schönen “Default-Login-Screen”, kennt jeder Besitzer eines Macs. Viele sind damit aber nicht unbedingt zufrieden, dabei kann man den Screen problemlos mit einem Wunschbild ändern. Einfach ein entsprechendes Bild auswählen, möglichst in der passenden Auflösung des jeweiligen Macs.
Wenn man das passende Bild hat, dann ab in den Finder. Unter HD -> System -> Library -> CoreServices findet man die Datei “DefaultDesktop.jpg”. Davon am besten ein Backup machen. Anschließend nimmt man das Wunschbild und nennt es ebenfalls “DefaultDesktop.jpg”.
Dann die bereits vorhandene Datei überschreiben, und bitte an das Backup vorher denken. Vor dem Überschreiben wird man gebeten, sich zu “autorisieren”. Nach einem Neustart bzw. Ausloggen ist das neue “Log-in”-Bild vorhanden.
I was logging onto my MySpace to upload a couple of photos of my wallpaper and after I was greeted by a CATCHPA.
Woah. Wait. A CATCHPA? So, not only do I have to enter my login info but now i have to enter a CATCHPA after it? Is MySpace saying they are that unsecured with their login? I can understand a CATCHPA for people adding you or posting a comment. That's to stop spam (moderate). But if that's their reason, wouldn't the spam creator just type it in and use whatever program to spam everyone on MySpace?
Too much typing... Just another reason no one uses MySpace anymore.
