AmiStore's Login 'window' has a tick box to "remember password". This seems the completely the wrong way around, for both user-friendlyness & security:
Your Username is some random characters auto-generated for you (and so difficult to remember), while your Password is something you chose (and so hopefully easy to remember). By default neither is remembered.
What I would have EXPECTED is that the hard-to-remember Username would have an option to be remembered (if it didn't do so automatically), and just require the user to remember their Password. i.e. Like almost every website.
Yet instead it does the opposite. This basically means it's treating the username as the secret, and the password as unimportant. That's pretty disasterous for security, since the password is supposed to be the secret, and it's not supposed to matter so much if the username is revealed (by accident or intention).
(Yes, there is an option, hidden in Preferences, to remember the username. But really, if you are going to offer the user the insecure ability to remember the Password, this is where it should be hidden away... Although there should then be a warning shown in the Login window that the password will be remembered.)
Anyone else think this is wierd, or did I miss something obvious?
It's common practice for applications on private computers to remeber passwords as well as usernames
Yes, but AmiStore does NOT remember your username (*), yet it does clearly offer to remember your password. (* unless you enable an obscure option)
It just seems backwards to me, especially when the password is easy to remember, but the username is hard to remember.
This is a user-interface design issue, which encourages insecurity (where it might not be needed), and yet also makes AmiStore harder to use than it should be.
Edited by ChrisH on 2016/9/25 10:58:13 Edited by ChrisH on 2016/9/25 11:00:00 Edited by ChrisH on 2016/9/25 11:02:35 Edited by ChrisH on 2016/9/25 11:04:06 Edited by ChrisH on 2016/9/25 11:19:42 Edited by ChrisH on 2016/9/25 11:21:22 Edited by ChrisH on 2016/9/25 11:23:27
In the AMIStore settings you can specify to remember your username too.
Yes, I know. But my point is that is you've got it the wrong way around. The insecure option is presented on the Login window, while the safe option (remember username) is hidden away where most people probaly won't notice it.
It's also not terribly helpful to offer to remember the password (which is easy to remember), while hiding the option to remember the username (which is hard to remember).
Quote:
It is the stored and encrypted on your system with AES256
That will make little difference, IMHO. If I have access to someone's Amiga for a few minutes, there is a good chance I can obtain access to their AmiStore account without any cracking software (if they tried to make AmiStore easier to use, by ticking the obvious "remember password" option).
IMHO it would be much better to offer a "remember username" option on the Login screen. And possibly hide the option to remember the password in the Preferences area. OR MAYBE BETTER: Keep the remember options where they are, and instead default to remembering the username. This way people will feel less need to tick the insecure "remember password" option. If they don't want it to remember their username for some reason, then the option is hidden in the Prefs section for them to find.
So to recap: Most of my objections could be resolved by having AmiStore default to remembering your username.
@ChrisH I agree. Given how password rememberance functionality usually works, it's bit unintuitive.
I actually created an FKey shortcut that fills in my username. Didn't know about the "remember username" setting until now. So thanks for pointing that out!
But I have to say, I usually don't like "skinned" applications (like, why do music players always look like an old receiver, or some weird metallic thingie). AmiStore, however, I think works really great!
@ChrisH I mostly agree with you. After I bought my X1000, I was appalled when I saw the username and password that I was assigned. I immediately complained but wasn't given any way to change the username and password. If everyone else's password was assigned like mine then they're easy to deduce. If you're concerned about security then you should be aware that the AmiStore App stores your username in the ENV:A-EON directory and leaves it there after you quit AmiStore. That's not nearly as bad as what Odyssey does if you have the "Settings/Privacy/Save forms credentials" checkbox selected. Odyssey stores the URL, username & password in an unencrypted file named Passwords.db
Amiga X1000 with 2GB memory & OS 4.1FE + Radeon HD 5450
Yes, but AmiStore does NOT remember your username (*), yet it does clearly offer to remember your password. (* unless you enable an obscure option)
It just seems backwards to me, especially when the password is easy to remember, but the username is hard to remember.
This is a user-interface design issue, which encourages insecurity (where it might not be needed), and yet also makes AmiStore harder to use than it should be.
Hmm okay yes having the remever username option in a different place from the remeber password options is a bit odd, I must have chosen that option right after first use and forgetten I'd ever done it.
Odyssey stores the URL, username & password in an unencrypted file named Passwords.db
Even worse, AmiUpdate stores it's username/password combination for the OS update server in a file called "SiteList" in SYS: in human readable form. Given that this is the server that was meant to keep AmigaOS up-to-date it's a more than bad and unsecure design decision.
I already gave feedback about this, but it was and will never be "resolved" (author of AmiUpdate)
when i login to AmiStore my username and password are already saved on the login screen and all i do is hit "login." I recall setting it up once to remember username & password and its worked ever since.
I was appalled when I saw the username and password that I was assigned. I immediately complained but wasn't given any way to change the username and password. If everyone else's password was assigned like mine then they're easy to deduce.
Don't ask me how you're supposed to find this out . Also, the password change might take a little while to get "synced" with AmiStore (possibly up to a day??), so I suggest doing anthing you want with AmiStore before changing the password.
If you are security paranoid, then you can get to same site by going to http://a-eon.com/ and then clicking Login (under Downloads at the bottom of the screen), then log-in & agree to the terms, and then finally click "edit profile" at the top of the screen.
News feed
OS4 Feedback forum
OS4Depot Feedback forum
Amigabounty forum
OpenAmiga forum
AmiCygnix forum
ABC shell forum
AmiKit forum
Cinnamon Writer forum
CodeBench forum
Digital Universe forum
Dopus 5 forum
E-UAE forum
Gnash forum
Ibrowse forum
JAmiga forum
Odyssey forum
OWB forum
Qt forum
SmartFileSystem forum
Timberwolf forum
TouchDevice forum
TuneNet forum
Unsatisfactory Software forum
Donate
. Also, the password change might take a little while to get "synced" with AmiStore (possibly up to a day??), so I suggest doing anthing you want with AmiStore before changing the password.