Frequently Asked Questions
Q: I logged into a BotWorks.com-powered web site, but then I got an error message saying "Incorrect Authorization Key: IP-Address does not match: 18.104.22.168 vs. 22.214.171.124" (any two different IP-addresses)
A: Contact BotWorks.com support and request "relaxed security" for your account or switch to a different ISP (recommended).
The default security for BotWorks.com users (and users of other BotWorks-powered sites) is superior to what most web sites provide.
After a successful login (user name and password) Bot Works' authorization sends an encrypted "cookie" to your browser with four items encoded in it:
- Your User ID number
- A marker derived from your password
- The IP address from which you logged in
- The time at which you logged in
This combination of data items provides a temporary session key that:
- Can only be created by someone who knows your password (This should include only you, by the way1)
- Is only good for a limited period of time; and
- Is only good on the computer (or small network) from which you logged in.
The last part (making the session key only good on the computer you logged in from) is currently
above and beyond standard industry practices, but, without it, it's possible
for someone to perform a "man-in-the-middle" attack on your account by intercepting the authorization key and
then using it to access your Bot Works account from a different location (IP address).
It's standard practice for Internet Service Providers (ISPs -- the people who sell you basic internet access via DSL, cable or dial-up) to reserve a single IP-address for you from the time you connect to the net until you disconnect. Unfortunately, there is at least one larger ISP (AOL, America Online) who finds it convenient to change their customers' IP-addresses on the fly, without any warning and at any time during the customer's online session.
Because of this practice (which we call "musical IP addresses", after the grade school game of "musical chairs"), BotWorks.com has been forced to turn off our IP-address-checking security feature for AOL users. Usually, we can recognize AOL users by their e-mail addresses (firstname.lastname@example.org) and automatically make adjustments when they sign up for a BotWorks.com account. However, some AOL users prefer to access their e-mail through MSN, Gmail or some other e-mail service. Unfortunately, we don't know about these cases until they get the characteristic "IP-Address does not match" error message, which we monitor for.
Recently, it appears that some other ISPs are beginning to follow AOL's example. At BotWorks.com, we continue to monitor practices of leading ISPs and will make adjustments as necessary to accomodate users of all ISPs while, at the same time, educating people about the risks of using ISPs who practice "musical IP addresses" .
There is a small economic incentive for large ISPs to try to serve the most users with the fewest IP addresses, however this practice makes it impossible to offer the best security for web site access as BotWorks.com does.
Eventually, everyone will switch to 64-bit IP addresses (instead of the 32-bit IP addresses commonly used today). The change will make IP addresses cheap and plentiful once again so ISPs won't have the incentive to deallocate IP addresses from less active users and re-allocate them to recently (re-)activated users.
In the meantime, please encourage web sites you visit to protect you from man-in-the-middle attacks (most currently don't). Also, please stop using ISPs that rely on "musical IP addresses" and explain to them why you're leaving (feel free to refer to this web page). Thank you.
1. As long as you don't tell anyone your BotWorks.com password you are the only one who will know it. At BotWorks.com, we don't even keep anything but a hash (one-way encrypted) version of your password in our database to validate your logins. That is why, when you forget your password, we have to e-mail you a new password-- because we don't have any record of what your old password was.