Stop Password Verification for Harmless BSAs

[olympe]

Okay, so there's another thread where someone posted that, due to so many BSAs require password verification that they go on autopilot and just click where they need to.

I must admit, I tend to do the same. Which not only shows just how annoying this verification process is, especially when you need to use lots of BSAs, but can also prove to be a problem when you accidentally click the wrong action and go on auto-pilot while verifying. I know this is not the site's problem, and shouldn't be made it's problem in the first place, but it clearly shows that too much password verification doesn't achieve what it's supposed to achieve: Warn you when you're performing a (potentially) harmful action and make you stop and think, "Do I really want to do that?". Of course, the verification process is also supposed to keep your scroll safe from (harmful!) interference, but is the use of most BSAs really that dangerous?

 

Right now, if I'm not very wrong, all BSAs save for Splash require password verification. Personally, I think it would be enough if this was only required for (potentially) harmful BSAs with permanent results - Bite, Earthquake, Expunge and Teleport. Not to mention for regular actions like Abandon, Release, Freeze and Kill.

 

If you want a list of BSAs that I think don't require password verification, click on the spoiler below.

Spoiler

• Incubate: There's already a safety net built into the BSA itself. Because you cannot incubate eggs that have 3 days or less left before time of death, an accidental incubate is harmless. Two days (and one hour) is more than enough to hatch a low-time egg.
• Influence: Probably the most difficult thing, since someone else influencing your egg wrong might be the most harmful action around. Still, you can easily avoid this by influencing an egg ASAP. If all else fails, you can still "bounce" the egg to get rid of the influence.
• Fertility: Doesn't really affect your dragon in any way, save for the fact that the next breeding is more likely to be successful. This should not be a problem, should it?
• Ward: Definitely the least harmful BSA out there.
• Stun: While it would literally suck if you got stuck for 24-48 extra hours with your hatchling, especially if you're at your maximum capacity, it's a problem that will solve itself eventually. Last thing I heard, the effect that stunned hatchlings cannot gain views for 48 hours after the stunning can be undone by bouncing.
• Summon: Either nothing happens (most likely outcome for trios), or you get a shiny special dragon (either egg or adult). In any case, if someone else successfully summons for you, there isn't really much of a problem, is there? If you really don't want the summoned dragon, just release it.
• Corporealize, Enrage/Pacify: Only affects the dragon itself. In the case of Celestials, the effect only lasts for a week. In the case of an Aegis, the action can be undone eventually. So, no lasting harm can be done with this.
• Precognition: It doesn't really affect anything on your scroll, it merely delivers information.

 

 

So, why do I actually want this change?

1. Because password verification is not needed for these actions. (See spoiler above.)
2. Because it makes things easier. KISS and all that. Imagine wanting to Influence, Incubate and Ward 8 eggs. That alone requires 24 password verifications for pretty much no risk. Not to mention the extra pop-up to verify that you really want to perform the action after entering your password. (Unless you turn off JavaScript, that is.)
3. Because it actually helps you to not make mistakes with lasting effects. Password verification should be restricted to (potentially) harmful actions. This way, whenever the password verification page turns up, it's like a red flag that actually warns you that you're about to do something with a lasting effect. Unlike now, where the password verification process is so common that it merely sends people into autopilot mode. In essence, you're safer with less common password verifcation. Which I find highly ironical.

[Imago]

Full support! Especially for Incubate and Influence, it is extremely annoying, but I do not want to turn the password-protection off completely.

[purplehaze]

As someone who recently nearly abandoned a very much wanted egg, I have to agree with this. Auto-pilot mode can be dangerous and this suggestion would make it much less likely. As it is, I am much more likely to perform an action by mistake on my own egg than to have someone else enter my scroll and start messing with my dragons. And this would preserve passwords for the really irreversible actions. Support.

 

I would like to see the "are you sure" pop-up preserved for all actions, though.

 

Edited February 23, 2019 by purplehaze

[pinkgothic]

Yes please!

 

(...honestly, I'd like if I could turn it off altogether, or at least for a set duration - when AP hunting I keep my password in my clipboard and constantly paste it (not just temporarily in the clipboard like my password manager would do - normal clipboard usage, with all the problems that brings). I'd love to be able to get rid of the password verification on actions altogether and switch a much longer password that properly protects my login credentials - at the moment it's short enough that I can keep it in memory despite its randomness, just in case I quickly need to do something.)

 

That said, I don't think the effects of the BSA are the only issue that the password prompt is trying to address. I think it's also trying to prevent BSAs from going into cooldown, depleting us from BSAs. I don't think that changes anything about the situation, though - the constant password prompts aren't necessary.

 

However, I don't currently see a CSRF protection for these actions (beyond the referrer check we're all too familiar with), so it would be good if that were put in before the password prompts are removed. (For the curious: That's just a technical tweak, it changes nothing about usability. The site puts a little secret token into your server-side session file (where data relating to your logged-in state is saved), and also puts it into the HTML of the form (invisibly). When you submit it, the site checks that the form also sent the token stored in your session file. This verifies that the form was sent from the site's context - an attacker wouldn't know this token value.)

[Lyncerta]

Support, that seems very reasonable

I find validation on Incubate/Influence especially harmful, as it basically encouraged me to save my password in browser to speed up dealing with batch of eggs. So now it's easier to make something I don't want without paying much attention, even with validation

 

Corporealize / enrage (I assume pacify too) don't require standard validation - corporealize leads to site which explains how it works and let to choose continue (corporealize dragon) or back. Enrage changes dragon state right after clicking the action name.

[Fuzzbucket]

As I said - disable javascript, and you don't get the pop up at all. (Of course, you don't get the warning either... you go for abandon > enter password; click and it's gone...)

[olympe]

44 minutes ago, Fuzzbucket said:

As I said - disable javascript, and you don't get the pop up at all. (Of course, you don't get the warning either... you go for abandon > enter password; click and it's gone...)

You'll still have to go the extra step, after choosing the BSA dragon to use, then the target to use the BSA on, and validate your choice by entering your password.

 

I also think that the pop-up doesn't really do what you assume it does - make us re-think our choice. All it does is send us back into autopilot mode. I know my muscle memory (by now) for the whole proces after hitting the respective egg's incubate link is "verify auto-inserted password, then click on stupid pop-up" all in one go. (I have a private PC nobody but me uses, and my DC password is one I don't use anywhere else, so it's relatively safe to have it saved for automation.)

[Verilidaine]

Isn't this why we have the option to type the action instead? So that someone who knows they might auto pilot into an error can set up a safety net for themselves? 

[olympe]

The problem with the action name "safety net" is that it doesn't help with what password protection is originally meant for: Protecting your scroll from "friendly" meddling by friends and family. Because the action name verification, as far as I know, also works for harmful actions like Kill, Abandon, Release.

[LadyLyzar]

If anything, I think it would be interesting to have a customized UI for actions.  The user could toggle password protection and/or Action Name On/Off for any action, including BSA, that they choose.  Since it would be in Account Settings, it would require password verification anyway before said changes could take effect.

 

I wouldn't recommend turning off verification for actions like Kill, but if someone wants to take that risk, they could I guess.  However, I do think it would be best to limit it to things that don't kill your dragon to prevent maliciousness in case someone accidentally leaves their account logged in.

[Dubious]

Fully support this! It is incredibly tedious trying to incubate or influence multiple dragons, regardless of whether you use the 'password' option or the 'all caps word' option. Would love to just be able to use these BSAs without the all the extra steps.

[HeatherMarie]

22 minutes ago, LadyLyzar said:

If anything, I think it would be interesting to have a customized UI for actions.  The user could toggle password protection and/or Action Name On/Off for any action, including BSA, that they choose.  Since it would be in Account Settings, it would require password verification anyway before said changes could take effect.

 

I wouldn't recommend turning off verification for actions like Kill, but if someone wants to take that risk, they could I guess.  However, I do think it would be best to limit it to things that don't kill your dragon to prevent maliciousness in case someone accidentally leaves their account logged in.

 

I would support something like this much more, where you can choose what protections to use and where (or none!), rather then a blanket 'no verification' change. Personally I *like* that all these things have verification steps, because although I can see it's the opposite for some people, I have mine set so I have to type in the action instead of password and it really does pull me out of that whole 'auto-pilot' thing (most of the time). There are certain eggs I don't want Incubated, and if you Influence wrong there is currently no self-contained way to undo that (ie, you have to get someone else's help to 'bounce' the egg...). 

 

Especially now, after having these verification steps for *so* long, I can't even imagine all the frustration and confusion and mistakes that would happen if the verification steps were suddenly not there!

[pinkgothic]

3 hours ago, Verilidaine said:

Isn't this why we have the option to type the action instead? So that someone who knows they might auto pilot into an error can set up a safety net for themselves? 

Some info from the "I don't want password prompts at all" front (not your point, I know, but perhaps interesting nonetheless) - I did set my account to use actions once; that didn't get rid of all password prompts. Even if it had, though, I just don't want to manually type things. I'm not on a shared computer. The only way someone can do actions for me (if CSRF protection is put in place) is if they get my password, in which case password verification wouldn't do anything to stop them from causing further harm. Turning it off would let me pick a(n even) better password, increasing account security for me.

 

So yeah, I'm in LadyLyzar's camp - would love to see this configurable!

[olympe]

29 minutes ago, HeatherMarie said:

 

I would support something like this much more, where you can choose what protections to use and where (or none!), rather then a blanket 'no verification' change. Personally I *like* that all these things have verification steps, because although I can see it's the opposite for some people, I have mine set so I have to type in the action instead of password and it really does pull me out of that whole 'auto-pilot' thing (most of the time). There are certain eggs I don't want Incubated, and if you Influence wrong there is currently no self-contained way to undo that (ie, you have to get someone else's help to 'bounce' the egg...). 

 

Especially now, after having these verification steps for *so* long, I can't even imagine all the frustration and confusion and mistakes that would happen if the verification steps were suddenly not there!

Actually, I did not ask for a "blanket no verification change" at all, only for a change for breed-specific actions that do not endanger the dragons on your scroll (or make them go missing). Also, when using a BSA, you first need to click on a member of the correct breed of dragon. Later, you get to a page where you choose the target - a page that, once again, shows the executing dragon. So, if this page shows a pink dragon, you know that the target egg won't be incubated, and you can tell from the sprite (thanks to dimorphic sprites) whether the influence will be male or female. Enforcing password verification for this kind of thing is, in my opinion, way beyond hand-holding. (Or maybe, just to be safe, we should change it so that you not only have to choose the executing BSA dragon and the egg (while still seeing the executing dragon's sprite on top of the page), but so that you also need to enter your password, click on OK on the resulting pop-up, then have another verification step that requires you to enter the name of the action, once again with a pop-up. Not to mention that we should have to do it twice, just to be on the safe side...

[HeatherMarie]

5 minutes ago, olympe said:

Actually, I did not ask for a "blanket no verification change" at all, only for a change for breed-specific actions that do not endanger the dragons on your scroll (or make them go missing). Also, when using a BSA, you first need to click on a member of the correct breed of dragon. Later, you get to a page where you choose the target - a page that, once again, shows the executing dragon. So, if this page shows a pink dragon, you know that the target egg won't be incubated, and you can tell from the sprite (thanks to dimorphic sprites) whether the influence will be male or female. Enforcing password verification for this kind of thing is, in my opinion, way beyond hand-holding. (Or maybe, just to be safe, we should change it so that you not only have to choose the executing BSA dragon and the egg (while still seeing the executing dragon's sprite on top of the page), but so that you also need to enter your password, click on OK on the resulting pop-up, then have another verification step that requires you to enter the name of the action, once again with a pop-up. Not to mention that we should have to do it twice, just to be on the safe side...

 

You are asking for a no-verification change on multiple BSAs, for everyone. Instead of every user being able to configure what they do and don't want in terms of verification. Hence the 'blanket change' comment. I'm not sure what the rest of your post means, honestly... The OP seems to be arguing against verification steps because, and I quote, 'Because it actually helps you to not make mistakes with lasting effects' but here you are talking about all the steps we currently have in place, which to me would be the opposite... Taking away steps in a process is going to make it *more* likely that people make mistakes, because they aren't used to not having those steps. 

 

I'm not sure if I'm communicating my thoughts clearly, but to me it seems taking away verification steps would do the opposite of what most people would want these changes for. Multiple people in this thread and other verification-threads have mentioned going on 'auto-pilot' when they do BSAs, and making mistakes regardless of the verification because they are on auto-pilot... How would *not* having a verification be better? People would still go on 'auto-pilot' when doing BSAs, except now there would be fewer steps until that mistake and no point where they have to confirm their mistake (which may or may not 'jog' them out of that 'auto-pilot'). I honestly just don't see how this would *help* and not *add* to the mistakes.

[Fuzzbucket]

I'm with Heather; you only have to look at the HELP I MISINFLUENCED thread. Influence isn't harmful, as such. And incubate - get it wrong with a siyat and you are screwed. And so on.

 

If I'm breeding to the AP I just lock myself for the duration - so that's not an issue. The rest - well, we don't have THAT many eggs needing attention at any one time. I really can't get that excited about this.

[olympe]

11 hours ago, HeatherMarie said:

You are asking for a no-verification change on multiple BSAs, for everyone. Instead of every user being able to configure what they do and don't want in terms of verification. Hence the 'blanket change' comment. I'm not sure what the rest of your post means, honestly... The OP seems to be arguing against verification steps because, and I quote, 'Because it actually helps you to not make mistakes with lasting effects' but here you are talking about all the steps we currently have in place, which to me would be the opposite... Taking away steps in a process is going to make it *more* likely that people make mistakes, because they aren't used to not having those steps. 

Of course, just after such a change, people might or might not make more mistakes for a short while, but as with everything, there's a learning curve. Give it a month or so, and the number will go down again to somewhere around previous levels - and maybe even below those. The BSAs I proposed for being without verification have no lasting effect you can't counter in the long run, although I did concede that Influence might be a bit iffy. (Ever read the spoiler of the OP or went directly into "oh no" mode just because?)

 

If the verification process for pretty much everything out there (that doesn't actually need it) is taken down and only reserved for (potentially) harmful actions (abandon, release, kill, earthquake, bite, expunge, freeze, teleport), the mere fact that you get to a verification process page should ring the warning bells that you're going to do something with lasting effect. Right now, though, the warning bells for verification don't ring because it's over-used, and people kind of get immune to it due to habit-formation (or auto-pilot mode). No matter what you do, most actions (BSA and otherwise) require you to go to the process anyway. While it's true that verification through action name does have its merit, it lacks in the security department: It allows other people to easily manipulate your scroll if you forget to log out. Including killing and/or releasing all your dragons, teleporting away all your growing things and so on.

 

11 hours ago, HeatherMarie said:

Multiple people in this thread and other verification-threads have mentioned going on 'auto-pilot' when they do BSAs, and making mistakes regardless of the verification because they are on auto-pilot... How would *not* having a verification be better?

Because you're less likely to go on auto-pilot if the process is less tedious. Because it actually *is* less tedious than having to go through a verification process in the first place. And, because if password verification is reserved to actually harmful actions, getting a verification page should make you stop in your tracks because this is a sign that something unusual is going on - because you're not conditioned to ignore this page and let muscle memory take over (aka going on auto-pilot).

 

11 hours ago, Fuzzbucket said:

I'm with Heather; you only have to look at the HELP I MISINFLUENCED thread. Influence isn't harmful, as such. And incubate - get it wrong with a siyat and you are screwed. And so on.

Actually, the thread about misinfluencing proves that the verification process does NOT prevent mistakes. And, once again, I did put in the OP that Influence might be the most iffy of the BSAs I proposed for being without verification. Everything else - even incubating a Siyat wrong - can be countered or will undo itself over time. Ever heard of fogging to prevent an egg from hatching? That sure solves the Siyat problem, and even without having to rely on someone else's help.

 

11 hours ago, HeatherMarie said:

Instead of every user being able to configure what they do and don't want in terms of verification.

Because this deserves its own answer: Yes, I'm mostly against user-configurable verification processes. Because of the following reasons:

1. It's more complicated to have it user-configurable. KISS and all. TJ is a fan of the principle.
2. Making it user-configurable will clutter the account page. I don't know where it happened, but I remember TJ stating that he isn't a fan of that, either.
3. As a result of 1 & 2, making verification processes completely user-configurable most likely won't fly anyway.

What I'm more than willing to do, however, is to discuss whether Influence and maybe even Stun belong on that list of harmless actions. Because the other BSAs on the list quite literally can't hurt your scroll, your dragons (growing or otherwise) or your play style.

[Haloclimb]

Only really skimmed the topic, but I would absolutely support this 100%. I play a LOT on my phone, and its a pain typing on it- I'd much, much prefer the option to just click the BSA and go. If I screw up and use the wrong BSA on the wrong thing, then hey, that's on me.

[Fuzzbucket]

8 hours ago, Haloclimb said:

If I screw up and use the wrong BSA on the wrong thing, then hey, that's on me.

 

I wish more players felt they had responsibility for their own actions

[StormWizard212]

I like this suggestion. It would save time (especially when playing on mobile) and even if I ended up accidentally committing to something I didn't mean to, I wouldn't consider it such a big deal when it comes to the suggested BSAs. Whatever risk there might be would be overshadowed by the more convenient game play, in my opinion. 

 

It would be great if users could customise verification options themselves, but if that's not possible, I'd prefer to have password verification turned off for the suggested actions. 

[Bison]

Yes please! I'm tired of useless verification of pet sites. I either haven't shared a computer or have had a password on my account for so many years I've just always had my password saved in-browser for DC to avoid having to constantly re-type my password for the most mundane actions. And as someone with bad carpal tunnel all the clicking DC requires at times can be extreme. Having some kind of toggle would be ideal but any reduction in unnecessary password fields/clicks would be helpful.

[Tecca]

On 2/23/2019 at 9:38 AM, olympe said:

Warn you when you're performing a (potentially) harmful action and make you stop and think, "Do I really want to do that?"

 

This could have really saved me a lot of heartbreak a few years ago. I accidentally killed my one and only (at the time) CB Winter Magi. I meant to kill a different dragon, but was on autopilot with the verification and didn't pay close enough attention to what I was doing. I was devastated, as he was my first Christmas Dragon. He also had lots of offspring belonging to other people, in painstakingly-built and beautiful lineages that were then ruined. So I was not the only one who paid the price of my mistake.

 

Since then, we have been able to catch CBs again in the cave, so I was able to get a second one. However, the first (dead) CB Winter Magi is still tied to my scroll, so I am not able to have two living CB Winter Magis. But it doesn't really matter: Between my grief for my own dragon, and feeling so terrible about all the other people affected by his death, I still cannot look at WM lineages without feeling pain and have forgone them altogether. I just don't do Winter Magis any more.

 

Full support for this. Olympe has listed many good reasons, but to make you stop and think, "Do I really want to do that?" for a harmful action, by making the verification process differ from non-harmful actions, would be immensely helpful.

[Fuzzbucket]

How is it still tied to your scroll ? It shouldn't be, as I understand things.... Quite a few people killed frozen holiday hatchies when they realised they could get a new CB holiday...

[Tecca]

On 3/17/2019 at 8:35 AM, Fuzzbucket said:

How is it still tied to your scroll ? It shouldn't be, as I understand things.... Quite a few people killed frozen holiday hatchies when they realised they could get a new CB holiday...

When CBs were re-released into the cave at Christmas 2017, I caught a CB WM egg. When I tried to catch a second one, I got the message about being at the limit for the breed.  My only other CB WM was the dead adult.

 

Christmas 2019 edit: Apparently this has been changed since I last tried in 2017! I was just able to catch a CB Winter Magi in the holiday biome, bringing my number of (living) CB Winter Magis up to two. My thanks to TJ for the adjustment.

Edited December 19, 2019 by Tecca

[Fuzzbucket]

I would PM TJ - that really doesn't sound right. Unless you zombied it ?