I mean, pretending to be someone in another instance, “stealing” the username, is trivial. I see the more likely targets being instance admins or high profile users. Should we worry somewhat about this?
That’s why instance is part of the username. It’s no different than email addresses.
Confusing similar domain names are a common thing with email. Micr0soft.com vs Microsoft.com. Same idea could be done with instances.
Setting a display name hides the instance bit. You have to check the URL or profile to see which instance they’re on, which people definitely won’t do every time. Especially if an impersonator just joins inside a thread mid-conversation, it won’t be obvious at all that it’s suddenly a different person writing.
Just like emails, when people write something like
”Amazon Gift Cards” <yolo@yolo.com>
in theFrom
field.
His concern is probably that in comments etc. only username is displayed. You have to go to person’s profile to discover their instance.
Instance is shown if it’s different to the one you’re on. I can see your instance is vlemmy.net
Not if they set a display name. Many of the mobile apps are also bad about it even without a display name.
Yes, for sure. While the identity of a user can be checked, nobody is going to do this every time. IMO the simplest solution would be to just always show the instance even if a display name is set.
Yeah, I think how most Lemmy clients (including the default web UI) handle display name is a real mistake.
I feel like they could solve it by adding instance only when another user with similar name is present in the comment section. It would make it clear that a duplicate username is present without changing a lot for a majority of lemmy-commenr sections.
It currently shows: pic, username (or login name@instance), local link to the comment, federated link, language
Seems like the easiest solution would be to always show the user’s instance in a separated column
I think showing something like
DisplayName (@username@instance)
if they have a display name would make sense… honestly I would like to disable showing display name entirely (didn’t need it on that other site, never found it useful on twitter/mastodon/etc), but understand that would may be a less popular option.
Some other projects in the fediverse have a verification mechanism in place.
I personally like Mastodon’s: if you add on your profile a link to a webpage that itself links to your profile, Mastodon will show a green checkmark next to the link: https://joinmastodon.org/verification
So you can verify your profile by linking to a webpage you own or testifies your account’s authenticity (ie. your blog, your author page of the publication your write for, etc.)
Hopefully other projects (including Lemmy) will take inspiration from this process to limit impersonations.
It’s a bit of a problem, indeed. Here’s a practical example of that:
In this example, I’m writing from a lemmy.ml account, but the display name impersonates another account in another instance (beehaw.org). Anyone could do this with someone else’s account.
Based on that, I think that:
- the Lemmy software should not allow you to use “@” as part of your display name. Ever. Reserve it as a special character.
- clients should always show which instance you’re from, even with a display name. A simple icon would be enough as long as instance admins set up uniquely identifiable ones.
- two accounts in the same instance should never be allowed to use the same display name.
And for us, users: never rely on the display name. If the identity of someone is contextually relevant, always check the actual username, not the display name.
Twitter implementation seems good enough. Big display name with smaller unique handle below. Might be a bit bloat, but solves the problem.
To me, this just seems like a variation of the age-old issue of online impersonation. In the early days of social media, there were people squatting on famous people’s name/registering variations.
On my instance, admins are tagged as such which seems like a good solution. I wouldn’t be surprised if we start seeing verification like on Mastodon, though I couldn’t find any issues for this on their github.
deleted by creator
It also seems very weird that you can reply to a deleted comment! (I deleted it because what I was saying was wrong in multiple ways, not just the one you pointed out)
deleted by creator
I’ve already seen a couple cases where some user would set their display name to that of one of their instance admins, and proceed to post spam all over. It’s pretty easy to tell when someone is attempting to impersonate though, their profile URL will never match up with the name they’re trying to hijack.
In the couple times that I saw that so far, community mods and instance admins were quick to take down the account in question. Impersonation could be an issue for less-actively moderated communities & instances, but Lemmy does have the tools to deal with it.
I recently switched instances, and actually made sure to update my bio on both accounts to link to each other. But like others already said, banning the @ in usernames, and showing the instance would be a great addition to help prevent things.
This was discussed deeply a few days back.
It’s something we should be worried about everywhere we go online.
So try having at least 3 different passwords for personal accounts/websites and also contact moderators or support if you suspect your account has been compromised.
So try having at least 3 different passwords for personal accounts/websites
That’s an awful take. Grab a password manager and have a random password for every single account of yours. That way all you have to do is remember a single strong password and that’s it. Instead of playing Russian roulette when one service you use gets hacked and someone gets a hold of your username / email and one of your 3 different passwords…
This isn’t about compromised accounts though. I could just create an account, give it the display name “Granixo” and your profile picture. It would look exactly like your account unless people actually click the profile or look at the profile URL.
So try having at least 3 different passwords for personal accounts/websites
That’s terrible advice when password managers are a thing. Also, this is about impersonation, not credential theft.
Not everyone has access/knows how to use a password manager.