Login
Username:

Password:

Remember me



Lost Password?

Register now!

Sections

Who's Online
74 user(s) are online (42 user(s) are browsing Forums)

Members: 0
Guests: 74

more...

Headlines

 
  Register To Post  

AmiStore Login design issue
Home away from home
Home away from home


See User information
AmiStore's Login 'window' has a tick box to "remember password". This seems the completely the wrong way around, for both user-friendlyness & security:

Your Username is some random characters auto-generated for you (and so difficult to remember), while your Password is something you chose (and so hopefully easy to remember). By default neither is remembered.

What I would have EXPECTED is that the hard-to-remember Username would have an option to be remembered (if it didn't do so automatically), and just require the user to remember their Password. i.e. Like almost every website.

Yet instead it does the opposite. This basically means it's treating the username as the secret, and the password as unimportant. That's pretty disasterous for security, since the password is supposed to be the secret, and it's not supposed to matter so much if the username is revealed (by accident or intention).

(Yes, there is an option, hidden in Preferences, to remember the username. But really, if you are going to offer the user the insecure ability to remember the Password, this is where it should be hidden away... Although there should then be a warning shown in the Login window that the password will be remembered.)

Anyone else think this is wierd, or did I miss something obvious?

Author of the PortablE programming language.
Go to top
Re: AmiStore Login design issue
Home away from home
Home away from home


See User information
It's common practice for applications on private computers to remeber passwords as well as usernames for interactibg with remote services.

AmiUpdate does on amigaos, RhythmBox does on Linux, most mail client do on any OS, pretty everything does on my Android phone....


If you are concerned about security don't use the feature (or an AmigaOS machine for that matter).


Go to top
Re: AmiStore Login design issue
Quite a regular
Quite a regular


See User information
@ChrisH

In the AMIStore settings you can specify to remember your username too.

It is the stored and encrypted on your system with AES256

Go to top
Re: AmiStore Login design issue
Home away from home
Home away from home


See User information
@broadblues Quote:
It's common practice for applications on private computers to remeber passwords as well as usernames

Yes, but AmiStore does NOT remember your username (*), yet it does clearly offer to remember your password. (* unless you enable an obscure option)

It just seems backwards to me, especially when the password is easy to remember, but the username is hard to remember.

This is a user-interface design issue, which encourages insecurity (where it might not be needed), and yet also makes AmiStore harder to use than it should be.


Edited by ChrisH on 2016/9/25 10:58:13
Edited by ChrisH on 2016/9/25 11:00:00
Edited by ChrisH on 2016/9/25 11:02:35
Edited by ChrisH on 2016/9/25 11:04:06
Edited by ChrisH on 2016/9/25 11:19:42
Edited by ChrisH on 2016/9/25 11:21:22
Edited by ChrisH on 2016/9/25 11:23:27
Author of the PortablE programming language.
Go to top
Re: AmiStore Login design issue
Home away from home
Home away from home


See User information

@amigakit Quote:
In the AMIStore settings you can specify to remember your username too.

Yes, I know. But my point is that is you've got it the wrong way around. The insecure option is presented on the Login window, while the safe option (remember username) is hidden away where most people probaly won't notice it.

It's also not terribly helpful to offer to remember the password (which is easy to remember), while hiding the option to remember the username (which is hard to remember).

Quote:
It is the stored and encrypted on your system with AES256

That will make little difference, IMHO. If I have access to someone's Amiga for a few minutes, there is a good chance I can obtain access to their AmiStore account without any cracking software (if they tried to make AmiStore easier to use, by ticking the obvious "remember password" option).

IMHO it would be much better to offer a "remember username" option on the Login screen. And possibly hide the option to remember the password in the Preferences area. OR MAYBE BETTER: Keep the remember options where they are, and instead default to remembering the username. This way people will feel less need to tick the insecure "remember password" option. If they don't want it to remember their username for some reason, then the option is hidden in the Prefs section for them to find.

So to recap: Most of my objections could be resolved by having AmiStore default to remembering your username.

Author of the PortablE programming language.
Go to top
Re: AmiStore Login design issue
Just popping in
Just popping in


See User information
@ChrisH
I agree. Given how password rememberance functionality usually works, it's bit unintuitive.

I actually created an FKey shortcut that fills in my username. Didn't know about the "remember username" setting until now. So thanks for pointing that out!

But I have to say, I usually don't like "skinned" applications (like, why do music players always look like an old receiver, or some weird metallic thingie). AmiStore, however, I think works really great!

Maintainer and developer for Jamiga2 - Java for Amiga
Go to top
Re: AmiStore Login design issue
Just can't stay away
Just can't stay away


See User information
@ChrisH
I mostly agree with you. After I bought my X1000, I was appalled when I saw the username and password that I was assigned. I immediately complained but wasn't given any way to change the username and password. If everyone else's password was assigned like mine then they're easy to deduce. If you're concerned about security then you should be aware that the AmiStore App stores your username in the ENV:A-EON directory and leaves it there after you quit AmiStore. That's not nearly as bad as what Odyssey does if you have the "Settings/Privacy/Save forms credentials" checkbox selected. Odyssey stores the URL, username & password in an unencrypted file named Passwords.db

Amiga X1000 with 2GB memory & OS 4.1FE + Radeon HD 5450

Go to top
Re: AmiStore Login design issue
Home away from home
Home away from home


See User information
@ChrisH

Quote:

Yes, but AmiStore does NOT remember your username (*), yet it does clearly offer to remember your password. (* unless you enable an obscure option)

It just seems backwards to me, especially when the password is easy to remember, but the username is hard to remember.

This is a user-interface design issue, which encourages insecurity (where it might not be needed), and yet also makes AmiStore harder to use than it should be.


Hmm okay yes having the remever username option in a different place from the remeber password options is a bit odd, I must have chosen that option right after first use and forgetten I'd ever done it.


Go to top
Re: AmiStore Login design issue
Home away from home
Home away from home


See User information
@xenic

Quote:

Odyssey stores the URL, username & password in an unencrypted file named Passwords.db

Even worse, AmiUpdate stores it's username/password combination for the OS update server in a file called "SiteList" in SYS: in human readable form.
Given that this is the server that was meant to keep AmigaOS up-to-date it's a more than bad and unsecure design decision.

I already gave feedback about this, but it was and will never be "resolved" (author of AmiUpdate)

People are dying.
Entire ecosystems are collapsing.
We are in the beginning of a mass extinction.
And all you can talk about is money and fairytales of eternal economic growth.
How dare you!
– Greta Thunberg
Go to top
Re: AmiStore Login design issue
Home away from home
Home away from home


See User information
@ChrisH

when i login to AmiStore my username and password are already saved on the login screen and all i do is hit "login." I recall setting it up once to remember username & password and its worked ever since.

_______________________________
c64-dual sids, A1000, A1200-060@50, A4000-CSMKIII
Catweasel MK4+= Amazing
! My Master Miggies-Amiga1000 & AmigaONE X1000 !
mancave-ramblings

Go to top
Re: AmiStore Login design issue
Home away from home
Home away from home


See User information
@xenic Quote:
I was appalled when I saw the username and password that I was assigned. I immediately complained but wasn't given any way to change the username and password. If everyone else's password was assigned like mine then they're easy to deduce.

You should be able to log-in & then change your password on this site:
https://secure.a-eon.biz/account
or
https://secure.a-eon.biz/download/account.php

Don't ask me how you're supposed to find this out . Also, the password change might take a little while to get "synced" with AmiStore (possibly up to a day??), so I suggest doing anthing you want with AmiStore before changing the password.

If you are security paranoid, then you can get to same site by going to http://a-eon.com/ and then clicking Login (under Downloads at the bottom of the screen), then log-in & agree to the terms, and then finally click "edit profile" at the top of the screen.

Author of the PortablE programming language.
Go to top

  Register To Post

 




Currently Active Users Viewing This Thread: 1 ( 0 members and 1 Anonymous Users )




Powered by XOOPS 2.0 © 2001-2023 The XOOPS Project