User:Unimaginative Username/Simple Committed ID Instructions

Simple, plain-English instructions to add the "User Committed Identity" to your userpage.

(Based on Windows 98/Me/XP. Adjust as needed for your system.)

1. Go to http://www.download3000.com/download-HashCalc-count-reg-5925.html and where it says, "Download link 1", click "Download now". (It's free.) Save to someplace convenient, like your desktop. This is the calculator you will use to turn your "secret" into the random-looking characters that you will post on WP.

2. Being naturally cautious, I always recommend scanning anything you download with your anti-virus program *before* opening it. This should only take a few seconds. Usually, you right-click the folder-looking thing named hashcalc.zip and choose "Scan with (the name of your AV program)". Mine came up clean.

3. Double-click hashcalc.zip, then double-click setup.exe. There will be the recommendation "close all Windows programs before proceeding", but with something this small and light, I didn't find it necessary to do so. Agree to the terms and keep clicking "next" until it's finished. (All of the default settings are OK.)

4. Now you're going to pick your "secret". Forget all that discussion at WP. Just something that no one would *ever* guess - nothing related to anything you've ever posted anywhere on the Net, where you live, school, etc. But is easy for you to remember. You can write it down on a piece of paper, unless you distrust your roommates. Anyone who breaks into your house to steal your WP login is really desperate. They recommend at least 15 characters for safety. I recommend total nonsense, like "Bears dance with chickens", or something irrelevant, like "Fargo, North Dakota" (assuming you've never lived/visited/written about it). You get the idea.

5. There is probably a shortcut on your desktop to the Hash Calculator (big black H). Double-click to launch it. If not, go to Programs > HashCalc > the H logo that says HashCalc and double-click it. Or go to My Computer > C > Program Files > HashCalc > double-click to open the folder, and double-click on the black H logo Hashcalc.exe.

6. Here's where the magic happens. In the upper left of the HashCalc box, under "Data Format" menu, choose "text string". On the left side, there is a list of available hashing programs. Choose SHA-512, partly because the WP template defaults to that anyway, and uncheck the rest. (For fun, you can check as many as you like and see how differently each program hashes the same input.)

7. Type your "secret" in the upper blank box, "Data". For illustration, let's use "Fargo, North Dakota" without the quote marks. (Using the capitals and comma exactly as above). Of course, you will NOT use this for your real secret!

8. Click "calculate" at the bottom.

9. The answer runs off the end. They should have made the box bigger. But if you hold down the left mouse button and run the cursor from left to right, you should be able to highlight the whole thing. Hit Ctrl + C to copy the answer to your clipboard.

10. Paste the answer somewhere -- a simple text document (.txt), a Word doc, whatever. If we've both done this right, you get eb23f9153ee23a161f24d8640ed73bbee5fc9773a04204fd793b0983fcd8d01605ffe7f762d37c29e2660df11604daca8d67064f2245bf0574bd1f8bc3def63d. Yes?

If you don't like dealing with stuff that runs off the end like that, use SHA-256 instead. It's not *that* much less secure than SHA-512, and we're talking about WP, not your Nigerian bank account. I get
f5b305f019ac00f04da9baf1a51466e984ca716e3779cfd091bc681ab39f3ee1. Yes?

What's cool about this, and the reason behind the whole process, is that although it was very easy -- instantaneous -- for the calculator to turn your secret into your hash, it is mathematically virtually impossible for any human or calculator to turn your hash back into your secret. This is due to what math geeks call "one-way functions". Don't ask me about them. Ask a math geek, and be prepared to take a few semesters of advanced math to understand the answer. Or don't worry about why. Just do it.

(The geeks will tell you that they have found weaknesses in the older hash functions, like SHA-1, MD-2, etc. Of course -- why else would there be an MD-4, an MD-5, SHA-384, SHA-512, etc.? Right? It's sort of like, "Whatever happened to Preparations A, B, C, D, E, F, and G?" They don't like to tell you about those :-) The recent ones are considered unbreakable with the present state of knowledge.)

OK, we're ready to rock and roll.

11. Going back to the WP page, Template:User_committed_identity, we copy and paste the template, maybe a little below where we pasted our hash answer.

{{User committed identity|hash string|hash function used|background=CSS color|border=CSS color|article=grammatical article for the hash function}}

12. Copy your long garbage-y--looking hash output from step 10 to your clipboard.

13. Select and highlight the words "hash string" in between the two pipes |hash string|, and paste the long thingy over it, or just delete the words "hash string" and paste in that long thingy, your calculated hash output. Be careful not to disturb the pipes -- the |vertical lines|.

14. If you used SHA-512 as recommended, do nothing to "hash function used". If you used anything else, paste it over those words. For example, |SHA-256|.

15. I think their chosen colors are fine. If you agree, look near the end of the Syntax paragraph at their example,

{{User committed identity|aaaa|SHA-1|background=#FC9|border=#000}}

Copy and paste |background=#FC9| over |background=CSS color| in the basic template. (Of course, if you're very careful with your copying and pasting, you can leave "background=" alone and just paste #FC9 over "CSS color".)

16. Similarly, copy/paste border=#000 over border=CSS color.

17. If you don't like their colors, there are lots of sources for CSS color codes, but you're on your own there :) I say, for the first time at bat, go with what they give you.

18. Here's the part that I find unnecesary. They give you a choice of whether you want to say,

"Committed identity: aaaa is A SHA-1 commitment to this user's real-life identity."
or
"Committed identity: aaaa is AN SHA-1 commitment to this user's real-life identity."

Obviously, the grammatically-correct answer depends on whether the reader's mind reads SHA as "Ess-H-A", in which case "an" is correct, or "Sha" as in the former Shah of Iran (or "Secure Hash Algorithm", which is what it actually stands for), in which case "a" is correct. I'm one of the pickiest grammarians on WP (check my userboxes and copy-editing street creds), but I think this adds more confusion for the rest of us. (The same is true of "MD-5" -- "Em-Dee 5", or "Message Digest 5"?

Anyway, if you delete this part entirely, it will say, "a" SHA etc. If you want "an", just paste "an" over " article=grammatical article for the hash function".

The easy solution -- but they didn't ask me -- is to have the template read:

"Committed identity: aaaa is THE SHA-1 commitment to this user's real-life identity."

That would end the "article=grammatical article for the hash function" thing, which has indeed caused a number of user questions there. Maybe they'll change it someday.

19. The bottom line: In our pretend example, your template now looks like this (based on Fargo, North Dakota and SHA-512)

{{User committed identity|eb23f9153ee23a161f24d8640ed73bbee5fc9773a04204fd793b0983fcd8d01605ffe7f762d37c29e2660df11604daca8d67064f2245bf0574bd1f8bc3def63d|SHA-512|background=#FC9|border=#000}}

Note that if you did use the SHA-512 hash thing, you could just delete "hash function used" from the template, since if this "parameter" is missing, it defaults to SHA-512. But no harm in typing it in. (You must type in any other hash formula used, as in Step 14.)

20. Ready? (drum roll) Go to your user page and click "Edit". Typically, this identity thing is at the top of the page, so put in a line break or two above whatever is at the top of your page in the Edit box. Copy and paste your finished template from Step 19. Preview.

21. If we're lucky, we come out with the black-on-orange box that says:

"Committed identity: eb23f9153ee23a161f24d8640ed73bbee5fc9773a04204fd793b0983fcd8d01605ffe7f762d37c29e2660df11604daca8d67064f2245bf0574bd1f8bc3def63d is a (or "an") SHA-512 commitment to this user's real-life identity." Yes?

22. Assuming that it works, repeat this with your real "secret". Or if you used your real secret all along, you're good to go.

23. So what?

That's a good question. I don't know whether there has actually been a rash of WP account compromises, or they did this just to show off their crypto skills (I'm guessing the latter.) My feeling, to paraphrase Shakespeare's "Othello" (Act III, Scene 3) is, "Who steals my purse had better be able to run faster than I can shoot, but he that filches from me my WP account is a pathetic loser who is more than welcome to it."

But assuming someone did compromise your account (and that you care), the question is: Who is it that's logging in as "you" that's really "you"? So, you could contact an admin or sysop (maybe via email, phone, fax?), give them your secret (Fargo, North Dakota), they run it through your displayed hash formula (SHA-512, e. g.) come up with the same long list of characters as are on your user page, and say, "Yeah, you're you. Make up a new password (and/or account) and you're back in control."

And, of course, having given out your secret, you need to make up a new secret and do this hash thing all over again. But it'll be like murder -- it'll get easier every time you do it. (Hopefully, never.)

24. Feedback time. How good a job did I do of explaining this in words that the average-peon, non-techie, non-crypto, non-geek-in-general could understand? Could it be improved or made simpler? I'm here only occasionally, so may not respond immediately, but all feedback is welcome. Please post on my talk page.

Regards, Unimaginative Username (talk) 05:40, 15 June 2008 (UTC)