New Log In is...Interesting

what’s the private data you’re concerned about? as far as i can gather, it’s your name, preferred language, and email address… is there more to it?

Aside from the inconvenience of having to re-log in on six different devices with a rather complicated password to type, I didn’t notice anything different… Then again I’m not a fanatic for worrying about cookies and stuff… I did get 4 e-mails, all from my computers, no e-mails were generated from my phone/tablet…

McNeel is about the last company in the world I would worry about when it comes to what they might do with any personal information they have on me… There are lots more scary companies and government organizations that already have far more info on pretty much all of us than we’d like to imagine. Welcome to 2016.

–Mitch

2 Likes

I never even had to do that. Nothing was ever different here. I guess I did something wrong then…

Have you logged out and logged back in again? --Mitch

Actually, we’re taking away information from Discourse and keeping it securely within McNeel now.

I have forgotten that the idea of single sign on is brand new to many of you. Let me see if I can explain how it works.

But first, a bit about “your private data into their database”.

https://accounts.mcneel.com is a web site and database system written and maintained by McNeel. It has nothing to do with Discourse or the Discourse team. McNeel Accounts is an authentication system. Authentication is the process of determining that something or someone is who they say they are. This process is technically complex and involves lots of cryptography.

Our goal with McNeel accounts is simple: to provide you with one place to have a username and password to access everything McNeel related. To do that, we need an authentication system that can work with other web sites and software. That’s why we chose OpenID Connect - it’s a protocol designed by Microsoft, Google, and others to securely authenticate users.

We migrated your account information from discourse.mcneel.com to accounts.mcneel.com so that we wouldn’t have to explain to everybody how to set up new accounts to log in.

When you visit discourse.mcneel.com and click Log In, a conversation is started between you, the Discourse server, and McNeel accounts. The entire conversation is encrypted, and the only place your password is ever entered is on McNeel Accounts (unless you’ve linked a Google or Facebook account, and in that case, McNeel Accounts doesn’t ever see your password). If you want to know more about the details of the conversation, you can watch this video.

At the end of the conversation, discourse.mcneel.com ends up with a few bits of information about you - encrypted over HTTPS and digitally signed to verify authenticity: your email address, user name, full name, a link to your avatar, and your McNeel Accounts ID (a big random number).

This process communicates to discourse.mcneel.com “McNeel Accounts declares that he person on this computer is who they say they are” and so discourse.mcneel.com then gives you access to your account, your ability to post, and your profile.

Try again. Your email address at the wiki was mitch@.com, and your McNeel Account is info@.com. I changed your wiki account to use info@****.com.

Nope, I can see here that wim is still logged in using a cookie from the old auth mechanism.

@wim if you want to give this a try, please follow these instructions.

Thank you for the clarifications Brian.

If user’s personal data is taken from the user to Discourse, and then taken away from Discourse, then that negates the fact that you forced a person to give you their personal data. I apologize then.

Interesting. Now I am even more convinced that I shouldn’t have made a choice of providing my data at all.

I see: McNeel is concerned that somebody else who accidentally knew my password will log in to my account and start replying to other people’s questions on discourse.mcneel.com.


One more question: is it possible to turn off the sending of this new: you recently logged in to McNeel Accounts from a new device email I am blessed with each time I use one internet browser over another?
Thank you.

Still doesn’t seem to be working… --Mitch

Bummer. I’ll need to work with you on Monday when I have more access to all the servers.

OK, NP… --Mitch

“McNeel Accounts – You logged in from a new device”

Hello,

I would like to ask (and forgive me if this is not the right place to do so) , after the account shift, I can’t seem to be able to log in to my.mcneel.com , where we maintain our training schedule. We are Rhino trainers in Greece, and used our info@decodefablab.com , mail to log in my.mcneel.com (so this account I use to write now is my personal one, not the one with the training center schedule maintainance.) I tried already to recover lost password, and an email came to info@decodefablab.com saying that the email address is not associated with a McNeel account? am I missing something?

Thank you for your time.

Hi Jim,
I too usually don’t log in but for a while one had to log in to read the V6 wip posts so this technique only really works well now.

I log in with a password and not the way you log in. McNeel had these three questions you had to agree to then they let you log in if you said no they kicked you off. Consequently I see they have removed the extra check boxes on log on or maybe it was a one time deal but since you logged in differently you might not have seen that and that’s what I was complaining about.

One glitch
For login this site asks first for your email I enter that and hit enter but then no box pops up for the password I had to hit the enter key and then a box popped up saying you need a password.

Now I realize what the “are your McNeel accounts safe” post was all about. Be careful about putting all your eggs in one basket.
RM

The password manager LastPass doesn’t work with the login (I have to copy and paste both logon dialog fields).

// Rolf

I never understood why people use a password database that is hosted by some third party. I prefer KeePass myself :slight_smile:

Oh, when I was a kid we always joked about why we used two ply toilet paper - so we could send a copy to the Soviet Union. Now it is the NSA that wants a copy. Not of the toilet paper though. :slight_smile:

// Rolf

1 Like

Hi Nathan,

I use lastpass as well and it has a few benefits that for me outweigh the possible security issue:

  • Synced between devices and access from any device.
  • Lastpass is encryped on the client side

Local stored databases like KeePass can get lost/stolen with the hardware so I need to add it to my regular backups.

Yet I agree that with lastpass a third party has potential access to my data.
-Willem

1 Like

Same with KeePass. It would be nice if the login method followed a pattern usable by these programs. IE [Username] [TAB] [Password] [ENTER].

You can streamline this using a synced folder like dropbox or google drive. You are then going back to storing your password database on a third party website. At least you can manage this method yourself and be a little more confident that the encryption is truly client side. It all depends on what you are comfortable with.

I enable cookies and then use Chrome, which is set up to remember all of my log-ins. I then made a shortcut on the chrome ‘bookmark bar.’ Now, its one painless click and I’m in! My life is that much better.

If someone sits down at my computer and makes weird comments on the Rhino forum, I can live with that. Plus, how would you tell, you crazy ugly fools?