An Idea for More Memorable Identicons

Identicons are those odd graphics you see next to peoples' names in comments.

What they do is hash the name and email, and generate the graphic. The email remains secret, but if it changes, the identicon will change. My main problem with identicons is that they're intricate, and I cannot remember what they look like. I suspect some people have good memories for shapes with all those complex little details, but I sure don't.

My proposal is a little simpler. This better identicon would have two parts - there would be four letters and numbers, uppercase, set against a background that looks like a flag. There would be only six basic flag shapes, each with two colors: a cross, a circle, a diagonal dividing line, a horizontal dividing line, a vertical dividing line, and a triangle that spans the left edge with the vertex at the center. There would be six colors that could be used to make the flag.

We'd have to eliminate possible duplicate letters like O and 0, and I and 1, so you get 34 alphanumeric symbols.

So the total number of possible icons is: 34 * 34 * 34 * 34 + 6 * 6 * 5 = 1.34 million possible icons.

While that space isn't large enough to produce unique icons for everybody, it should be large enough for a message board. Suppose you have 10,000 users. The odds of a collision are 1 in 134.

Also, because the username is displayed, for someone to fraudulently impersonate someone, they'd have to guess a password for that user.

The sample page generates identicons with SVG, so there's less load on the server.

Sample of the idea, here.

[It eventually came to me that PGP can be used as well. You would just use the ID as the identity key, and then sign each post with the private key. The other side (being the server and the end user) could verify the post with the public key. Hashflag could be a visual widget that uses the ID as the identity, and the key could be calculated by using the public key to encrypt a known value.]

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

The PGP verifiability was an

The PGP verifiability was an interesting idea, but at the same time, lack of verifiability is a form of security too. Who cares if random comments on articles are authentically yours? They aren't important. Anonymity and non-verfiability gives people freedom to speak more freely.

I've been thinking about ways to create a hard-to-track email system for this hashflag flaghash identity scheme. It could be done with PGP, if users would set up profile pages with public keys - that is, you need a directory and key server. For every user, you could create your message, and then encrypt it with their public key. They'd retrieve it and decrypt it with their private key.

To make it more hard to trace, you could create pools of message, with some number of messages per pool. Maybe it'd be 10. Anyway, you insert your message into the system, and it's thrown into a pool. There would be other messages in the pool (some could be fakes). A URL is returned that points back to the pool. At some future time, when the pool is full, the pool can be downloaded as a zip file or some kind of archive. The recipient then unzips it and tries to decrypt each message. If the message decrypts, it was addressed to them.

Because messages are assigned to pools randomly, you need an index of messages. Again, this would be an aggregated list of index entries. The entry would be the URL of a pool, encrypted with the recipient's public key. An entry that can be decrypted belongs to the recipient.

The index could just be a bunch of entries, with rough expiration dates (with some randomization to keep the list full). They could be digested with several hundred entries per digest, and recipients would try to decrypt each of them.

The system has a ton of chaff, so finding your own message is like finding a needle in a haystack. It requires a lot of CPU, but for someone trying to crack it, it requires a whole lot more CPU.