User:Unimaginative Username/Simple Committed ID Instructions

Simple, plain-English instructions to add the "User Committed Identity" to your userpage.
(Based on Windows 98/Me/XP. Adjust as needed for your system.)

1. Go to http://www.download3000.com/download-HashCalc-count-reg-5925.html, and where it says, "Download link 1", click "Download now". (It's free.) Save to someplace convenient, like your desktop. This is the calculator you will use to turn your "secret" into the random-looking characters that you will post on WP.

2. Being naturally cautious, I always recommend scanning anything you download with your anti-virus program *before* opening it. This should take only a few seconds. Usually, you right-click the folder-looking thing named hashcalc.zip and choose "Scan with (the name of your AV program)". Mine came up clean.

3. Double-click hashcalc.zip, then double-click setup.exe. There will be the recommendation "close all Windows programs before proceeding", but with something this small and light, I didn't find it necessary to do so. Agree to the terms and keep clicking "next" until it's finished. (All of the default settings are OK.)

4. Now you're going to pick your "secret". There has been considerable discussion at WP as to whether any personal information should be mixed in with your secret. If you wish, you may review some of the suggestions here. But the important thing is that your secret is recorded in a place that is very secure against physical or electronic snoopers, while being easy for you to access; yet would be impossible for anyone else to guess, no matter how well they knew you or how much they had discovered about you. A secret of at least 15 characters is recommended for safety. If you choose not to go with total random nonsense, or with pseudo-but-strong-random characters like those provided (securely and freely) at Steve Gibson's Perfect Password Page, I recommend including some total nonsense, like "Bears dance with chickens", or something irrelevant, like "Fargo, North Dakota" (assuming you've never lived/visited/written about it). "Fargo, New Zealand" would be both irrelevant and nonsensical - good! Add such nonsense even if you do choose to include some personal information in your secret.

5. There is probably a shortcut on your desktop to the Hash Calculator (big black H). Double-click to launch it. If not, go to Programs > HashCalc > the H logo that says HashCalc and double-click it. Or go to My Computer > C > Program Files > HashCalc >  double-click to open the folder, and double-click on the black H logo Hashcalc.exe.

6. Here's where the magic happens. In the upper left of the HashCalc box, under "Data Format" menu, choose "text string". On the left side, there is a list of available hashing programs. Check SHA-512 and uncheck the rest. (There will be Options at the end of these instructions if you wish to use a different hash formula.)

7. Type your "secret" in the upper blank box, "Data". For illustration, let's use "Fargo, North Dakota" without the quote marks. (Using the capitals and comma exactly as above). Of course, you will NOT use this for your real secret!

8. Click "calculate" at the bottom.

9. The answer runs off the end. They should have made the box bigger. But if you hold down the left mouse button and run the cursor from left to right, you should be able to highlight the whole thing. Hit Ctrl + C to copy the answer to your clipboard.

10. Paste the answer somewhere -- a simple text document (.txt), a Word doc, whatever. If we've both done this right, you get eb23f9153ee23a161f24d8640ed73bbee5fc9773a04204fd793b0983fcd8d01605ffe7f762d37c29e2660df11604daca8d67064f2245bf0574bd1f8bc3def63d. Yes?

What's cool about this, and the reason behind the whole process, is that although it was very easy -- instantaneous -- for the calculator to turn your secret into your hash, it is mathematically virtually impossible for any human or calculator to turn your hash back into your secret. This is due to what math geeks call "one-way functions". Don't ask me about them. Ask a math geek, and be prepared to take a few semesters of advanced math to understand the answer. Or don't worry about why. Just do it. 

OK, we're ready to rock and roll.

11. We're going to use a simplified, shortened version of the template that is posted at the Committed Identity template page. Copy and paste the following, perhaps a little below where you pasted your long output from the Hashcalc. You don't have to use the Boldface type.

 

12. Copy your long garbage-y--looking hash output from step 10 to your clipboard.

13. Select and highlight the letters "aaaa" after the pipe, |aaaa, and paste the long thingy over it (your calculated hash output), or just delete the letters "aaaa" and paste in that long thingy. Be careful not to disturb the pipe -- the |vertical line.

14. The bottom line: In our pretend example, your template now looks like this (based on Fargo, North Dakota)

15. Ready? (drum roll) Go to your user page and click "Edit". Typically, this identity thing is at the top of the page, so put in a line break or two above whatever is at the top of your page in the Edit box. Copy and paste your finished template from Step 14 at the top of the Edit box. Preview.

16. If we're lucky, we come out with the box that says:

"Committed identity: eb23f9153ee23a161f24d8640ed73bbee5fc9773a04204fd793b0983fcd8d01605ffe7f762d37c29e2660df11604daca8d67064f2245bf0574bd1f8bc3def63d is a SHA-512 commitment to this user's real-life identity." Yes?

17. Assuming that it works, repeat this with your real "secret". Or, if you used your real secret all along, you're good to go. Remember to "Save page" once your Preview is correct!

18. We all hope your account is never compromised. But if it is, you will contact an admin, perhaps from the e-mail account that is linked to your account, and tell of your account having been stolen. When asked, provide your secret. The admin will run your secret through the same formula, and when it returns the same long hash output, that is very strong evidence that you are the rightful owner of the account. Make up a new password (and/or account) and you're back in control.

And, of course, having given out your secret, you need to make up a new secret and do this hash thing all over again. But having done it once, it should be easy the next time.

19. Feedback time. How good a job did I do of explaining this in words that the average-peon, non-techie, non-crypto, non-geek-in-general could understand? Could it be improved or made simpler? I'm here only occasionally, so may not respond immediately, but all feedback is welcome. Please post on my talk page.

___________________________________________________________________________________________________________

Options, if you're not confused so far:
1. Different hash formulae: You might not like the length of the SHA-512 output. You could use SHA-256; just check that choice in Step 6 instead of SHA-512. The output will be half as long (and will fit in the Hashcalc box), and is only very slightly less secure -- very unlikely to be broken. However, you must make it plain that you used this formula instead of the recommended default formula. To do this, type  "|SHA-256", (that's a "pipe" before "SHA-256"), without the quotes, after "|aaaa", so it looks like this:

 

You can also have fun putting your same secret through the HashCalc using any or all of the different formulae and seeing the different outputs from the same input. However, SHA-256, SHA-384, and SHA-512 are regarded by many experts as being more secure than some of the other options, and so are recommended for actual use.

2. Some people find it awkward to read "aaaa is "A" SHA-512 commitment" (instead of "AN" SHA-512 commitment), even though SHA stands for Secure Hash Algorithm, because one's mind tends to read it as "aaaa is a Ess-H-A commitment". If you would like to change "a" to "an", then go back to the template on your worksheet or in the edit box of your userpage. At the end of the template, after "aaaa", type the phrase, |article=an, (that's a "pipe" before "article=an"), so you get

   or, if you also used Option 1,

  

The same is true of the hash formula "MD-5" -- "Em-Dee 5", or "Message Digest 5"?

Personally, I prefer "Committed identity: aaaa is THE SHA-512 commitment to this user's real-life identity", which solves the "a/an" question no matter what hash formula is used, but many disagree. If you too like "the", then do as above, pasting  "|article=the" instead of "an". 

3. Different colors: If you've become really comfortable with this process, you can now probably understand and follow the instructions for the more general template, which allows for different color choices. The full template and instructions are here.

Regards, Unimaginative Username (talk) 23:52, 18 June 2008 (UTC)