I mean, pretending to be someone in another instance, “stealing” the username, is trivial. I see the more likely targets being instance admins or high profile users. Should we worry somewhat about this?

  • PonyOfWar@pawb.social
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    Yes, for sure. While the identity of a user can be checked, nobody is going to do this every time. IMO the simplest solution would be to just always show the instance even if a display name is set.

      • I Cast Fist@programming.devOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It currently shows: pic, username (or login name@instance), local link to the comment, federated link, language

        Seems like the easiest solution would be to always show the user’s instance in a separated column

      • dQw4w9WgXcQ@vlemmy.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I feel like they could solve it by adding instance only when another user with similar name is present in the comment section. It would make it clear that a duplicate username is present without changing a lot for a majority of lemmy-commenr sections.

  • sim642@lemm.ee
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    That’s why instance is part of the username. It’s no different than email addresses.

    • PonyOfWar@pawb.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Setting a display name hides the instance bit. You have to check the URL or profile to see which instance they’re on, which people definitely won’t do every time. Especially if an impersonator just joins inside a thread mid-conversation, it won’t be obvious at all that it’s suddenly a different person writing.

      • ritswd@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Just like emails, when people write something like ”Amazon Gift Cards” <yolo@yolo.com> in the From field.

    • skomposzczet@vlemmy.net
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      His concern is probably that in comments etc. only username is displayed. You have to go to person’s profile to discover their instance.

  • BlackEco@lemmy.blackeco.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Some other projects in the fediverse have a verification mechanism in place.

    I personally like Mastodon’s: if you add on your profile a link to a webpage that itself links to your profile, Mastodon will show a green checkmark next to the link: https://joinmastodon.org/verification

    So you can verify your profile by linking to a webpage you own or testifies your account’s authenticity (ie. your blog, your author page of the publication your write for, etc.)

    Hopefully other projects (including Lemmy) will take inspiration from this process to limit impersonations.

  • Lvxferre@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    It’s a bit of a problem, indeed. Check my current display name as an example - I’m writing from a lemmy.ml account, but the display name impersonates another account in another instance (beehaw.org). Granted, both accs are owned by the same user, but nothing prevents me from doing it towards someone else’s account.

    Based on that, I think that:

    • the Lemmy software should not allow you to use “@” as part of your display name. Ever.
    • clients should always show which instance you’re from, even with a display name. (A simple icon would be fine.)
    • two accounts in the same instance should never be allowed to use the same display name.

    And for us, users: never rely on the display name. If the identity of someone is contextually relevant, always check the actual username, not the display name.

    • skomposzczet@vlemmy.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Twitter implementation seems good enough. Big display name with smaller unique handle below. Might be a bit bloat, but solves the problem.

  • Granixo
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    3
    ·
    1 year ago

    It’s something we should be worried about everywhere we go online.

    So try having at least 3 different passwords for personal accounts/websites and also contact moderators or support if you suspect your account has been compromised.

    • PonyOfWar@pawb.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      This isn’t about compromised accounts though. I could just create an account, give it the display name “Granixo” and your profile picture. It would look exactly like your account unless people actually click the profile or look at the profile URL.

    • n2burns@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      So try having at least 3 different passwords for personal accounts/websites

      That’s terrible advice when password managers are a thing. Also, this is about impersonation, not credential theft.

      • Granixo
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Not everyone has access/knows how to use a password manager.

        • SaituriHiiva@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Most people have one in their browser. While I personally would recommend a proper password manager, it’s still better than reusing passwords.

          Plus, if you know how to make a user on a lemmy instance (or any other web application), you pretty much know how to set up a password manager. If you know how to install an app on your phone and an extension in a browser, you’ll be able to use autocomplete pretty much always.

          If you’re worried about the costs, bitwardens free plan is pretty good (and with some know-how you can even self host). There’s probably other free ones too, but that’s what I’ve been happily using.

        • n2burns@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Not everyone has access/knows how to use a password manager.

          If someone have access to the internet, they almost certainly have access to a password manager. Even at work with my heavily locked-down computer and firewall, I can access BitWarden and I could do the same when I was on LastPass. Even a 10-year old Android/iPhone could be used as a KeePass vault if they aren’t comfortable with/don’t have access to a web-vault.

          If someone doesn’t know how to use a password manager, it’s really easy to learn. There are hundreds of guides and once it’s set up, the process is quicker than trying your same 3 passwords.

          Telling someone to use the same 3 passwords is about 1/3 as bad as telling someone the LifeProTip to use the same password everywhere, so you never forget it! It’s really, really bad advice especially when password managers are so easy and accessible!

    • Vlyn@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      So try having at least 3 different passwords for personal accounts/websites

      That’s an awful take. Grab a password manager and have a random password for every single account of yours. That way all you have to do is remember a single strong password and that’s it. Instead of playing Russian roulette when one service you use gets hacked and someone gets a hold of your username / email and one of your 3 different passwords…

      • Granixo
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        One day i may do that, but in the meantime, Edge and Google manage my passwords separately.

        And i hate that my University forces a password change every 90 days (or less).