Re: New feature: Article rating
Mon, 27 Mar 2000 15:49:09 GMT
In lugnet.admin.general, Todd Lehman writes:
In lugnet.admin.general, Ed Jones writes:
I do foresee one possible area that could be a problem (but I could be
overreacting) - Auction/Sale/Trade announcements could all end up with a 75
rating (the initial 50 and then the poster gives it a 100).  This could give
a false rating for those announcements.

It'll probably get counter-balanced by people marking some of the more • annoying
ones down.  Anyway, it's up to each individual reader whether or not they wish
to pay attention to the ratings.

Good point.

One minor kvetch.  Logging in asumes that I know my password (which I don't
and have to dig it out each time).

Do you sign in often from a public place such a library?

I sign in from various workstations in various training rooms in 2 different

Is "changing your pasword" in the works?

Thinking more about it -- but it needs to be thought through very carefully.

For example, if people can pick just any old password they want, then there
has to be some sort of check by the server to make sure that the password
isn't too insecure.  Usually these checks involve scanning a dictionary of
words and names doing permutations on them, etc.  The check has to be able to
identify double-word as well as single-word problems, for example "giraffe"
(one word) or "puppydog" (two words) or "boxed" (one word, but also two
portions of a name).

That's for the user's protection.  Secondly, for LUGNET's protection, there
has to be some way to ensure that people don't use passwords here that they
might use elsewhere.  For example, if someone uses the password "blorkshmork"
everywhere online, that's bad from LUGNET's point of view, because it opens
up potential questions or finger-pointing if someone's account on some other
system ever was compromised.  Consider this hypothetical situation:  "Someone
broke into my PayPal account yesterday and took all my money.  The only other
place I use that password is at LUGNET.  Not that I particularly suspect
anyone, but this certainly does raise some questions."  From a risk assessment
point of view, it's imperative to take this possibility under consideration
and prevent even the possibilty of it happening, if at all possible.

Of course, there are solutions (at least two I can think of so far*):

1.  Allow people to select from several machine-generated passwords and to
   choose a favorite.

2.  Allow people to add an easy-to-remember password of their own choosing
   on top of the main password, and require both passwords in order to be
   fully signed-in.  This would allow people to store their main password in
   a main cookie on machines at work, and use the secondary easy-to-remember
   password for quick signing in and signing out whenever they wanted.  Thus
   they would only have to remember one short password which someone snooping
   on their machine probably couldn't guess, yet the main password would
   still be there for other security reasons.


* I've been thinking about this for more than two years and have still only
come up with these two solutions.

Until you added Article Rating, the only function a member could perform by
logging in was to edit their profile (if I am correct - I doubt it).  Now that
I have a reason to use my password.....

Hmm...  actually, if someone wants to hack into LUGNET that badly, the basic
character (language, digits, scrambling, etc.) of their password isn't going to
stop them, as the last rash of major site stoppages demonstrated.

I personally hate generated passwords and change them as soon as possible to
something that has significant meaning only to me.

Perhaps if you required that members create a password that would:
- Only be used for LUGNET
- Not be stored in a cookie

I would certainly have no problem with that.  Cookies get deleted/corrupted
anyway (for some reason I have to resubscribe to LUGNET about every 2 weeks
because my cookie gets deleted/corrupted).  I would much rather rely on my
memory of my password that a cookie.

Anyway, just food for thought.

