![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
[nargery] Passwords
Aug. 4th, 2009 01:14 pmThere is an ancient Cambridge bulletin board called GROGGS; it celebrates its 25th anniversary next year. In 2002 I wrote a web client for it called Yarrow. There has not been a new release of Yarrow since 2003, but since one bug and one important feature request (of which more below) were recently made, I added some fixes at the weekend; you are welcome to test the public beta before release at the demo site I have made. (The old version is still running on chiark for now.) The demo site exists because GROGGS requires registration to read it, which makes it hard to use to demonstrate the system.
Now, I thought some of you might be interested in the important feature request. You see, Yarrow is a web front end to a protocol called RGTP. RGTP identifies users by a hex string, like C6F54E23BA, called a shared-secret. Until this weekend, Yarrow identified users like most websites, by means of a username and password. So if you wanted to start using GROGGS, you had to set up a Yarrow account, log in, request a GROGGS account, and configure your Yarrow account with your GROGGS shared-secret. This frightened people away.
The change I made this weekend was that there should be no more Yarrow passwords. Instead, there are only GROGGS shared-secrets. When you use Yarrow for the first time, you click the link on the login page to request a GROGGS account, and when you're sent your shared-secret, you log into Yarrow using it. Yarrow creates you a new account and sets the shared-secret of that account to the secret you used to log in.
Someone suggested today that we should also allow passwords. There would be a "change your password" form somewhere within Yarrow, and once you'd set one, you could log in using either your shared-secret or your Yarrow password. This would undoubtedly be more convenient, but I'm worried that explaining the idea might add unnecessary complication to the login screen, which is now beautifully simple.
What do you think? Worth doing eventually? Worth holding up the release for?
(Also, the existing system saves no state about users who aren't logged in, not even which items they've read. Perhaps we should create dummy accounts for such users so that it can highlight unread items, as it does for users who are logged in. This would need rather a rethink of the login system, but is possibly worth the trouble for people trying out the system. On the other hand, the great majority of the use of Yarrow is by people who are logged in, because it's almost entirely used to read GROGGS, which requires you to be logged in to read it. What do you think?)
Now, I thought some of you might be interested in the important feature request. You see, Yarrow is a web front end to a protocol called RGTP. RGTP identifies users by a hex string, like C6F54E23BA, called a shared-secret. Until this weekend, Yarrow identified users like most websites, by means of a username and password. So if you wanted to start using GROGGS, you had to set up a Yarrow account, log in, request a GROGGS account, and configure your Yarrow account with your GROGGS shared-secret. This frightened people away.
The change I made this weekend was that there should be no more Yarrow passwords. Instead, there are only GROGGS shared-secrets. When you use Yarrow for the first time, you click the link on the login page to request a GROGGS account, and when you're sent your shared-secret, you log into Yarrow using it. Yarrow creates you a new account and sets the shared-secret of that account to the secret you used to log in.
Someone suggested today that we should also allow passwords. There would be a "change your password" form somewhere within Yarrow, and once you'd set one, you could log in using either your shared-secret or your Yarrow password. This would undoubtedly be more convenient, but I'm worried that explaining the idea might add unnecessary complication to the login screen, which is now beautifully simple.
What do you think? Worth doing eventually? Worth holding up the release for?
(Also, the existing system saves no state about users who aren't logged in, not even which items they've read. Perhaps we should create dummy accounts for such users so that it can highlight unread items, as it does for users who are logged in. This would need rather a rethink of the login system, but is possibly worth the trouble for people trying out the system. On the other hand, the great majority of the use of Yarrow is by people who are logged in, because it's almost entirely used to read GROGGS, which requires you to be logged in to read it. What do you think?)
