Yay, Gravatar Added Support for Identicons, Monsterids and Wavatars

One of the Geeknews articles recently topped 80+ comments and I figured it would be interesting to turn on Gravatars to see what popped up beside the names. However, most of the posts didn’t have Gravatars associated with their e-mail, so I’d either just turn it back off or end up having to add yet another a plug-in to enable autogenerating an avatar for those folks. I was leaning toward’s Shamus’ Wavatars.

Lucky me, it looks like as of a few months ago, Gravatar has added Wavatar support along with two other avatar generators so no plug-in is required now; how convenient! Thank you Shamus and Gravatar!

BTW, since my theme didn’t have Gravatar support built-in originally, I’ve added the following to my comments.php:

<?php if(!empty($comment -> comment_author_email)) {
$md5 = md5($comment -> comment_author_email);
$size = 32; // size in pixels squared
$default = urlencode(‘wavatar’);
echo “<img src=’http://www.gravatar.com/avatar.php?gravatar_id=$md5&$size&default=$default’ alt=” />”;

Before I learned that Wavatar support had been added to the backend at Gravatar.com, $default was “http://geeknews.net/images/no_gravatar.jpg“. As you can see it wasn’t very attractive, so being able to mix it up with something interesting is a nice touch.

For Wavatar support, just append your image source Gravatar URL request with ?d=wavatar (here’s gravatar’s implementation page).

Or, instead of “wavatar” you could pass in “monsterid” or “identicon”.

If you’re not familiar with any of these, here’s some examples, each commenter’s unique avatar is generated either randomly or based on their IP:


The following two tabs change content below.
I'm an eternal optimist, geek of many areas, entrepreneur, coder, love RVs, cats and nuclear submarines.

12 thoughts on “Yay, Gravatar Added Support for Identicons, Monsterids and Wavatars”

  1. I hope you realize this exposes the identity of people who post messages here to anyone with a list of valid emails, such as spambots.

  2. Hey Shadow, thanks for pointing that out. The e-mail address in the gravatar url is hashed using md5 encryption. Is your comment referring to the fact that using rainbow tables can crack md5? That’s usually not a concern wrt harvesting of e-mail addresses since there’s lots of other ‘cheaper’ and easier methods of harvesting addresses.

    Or is there another flaw here in using gravatar/wavatars (or in my implementation) that i’m not seeing, where addresses are being exposed? Please don’t hesitate to point out security flaws you find.

    Thank you!

  3. I’m not saying the email address can be “decoded”. I’m saying that an operator with a list of email addresses, such as a spammer, can hash his list of emails and then use a spider to match those hashes with the ones in the gravatar URLs, and thus obtain information about those persons. Simply the knowledge that the emails are valid is valuable to a spammer. Alternatively, someone looking for information about a person with a known email address (an employer, perhaps) can do a web search for the hash of that address, and discover posts which people thought they were placing relatively anonymously.

  4. And speaking of which, does this thing choose avatars randomly if none were selected? ‘Cuz I never tried to register any gravatar, much less that triangle-head. ^^

  5. Ah yes, I remember that post, it was discoverable because I intentionally published my hash on Chatty’s site in his comment box to help in troubleshooting his gravatar implementation. 🙂

    I honestly appreciate the concern, I’ll continue to look into this.

    What i’ve found so far however, is that as long as e-mail addresses are not being exposed there’s little concern regarding information gathering possibilities.

    I think your primary concern is someone may detect that a user solicits certain web sites, that these avatars are a form of an inadvertent tracking system across the web. Is this correct?

    Thanks again.

  6. That is correct. A person may provide his email on a website expecting that it will not be displayed and that he will have anonymity with regards to the general public for his post.

  7. Wavatars are turned off, gravatars are being left on. The reason is that people leaving a comment aren’t agreeing to have their address hashed which could make that person ‘trackable’ elsewhere on the net.
    Folks that sign up for Gravatars are knowingly giving up some aspect of their privacy by wanting the icon and the service to follow them from site to site.

    Thanks Shadow.

  8. The monster ID is cool I think,. But, may be you should try to make another generating ID,. I recommend you a sign,. Just like the Identicon, but simpler, example: white ‘S’ letter in arial font, white colour in black background,. Usually, the guest didn’t like the gravatar because the ID didn’t look like their expression, too angry, ugly, wrong gender, etc,. But, with the sign, it’s neutral, right?, just like Identicon,. Sorry ’bout my bad English, but I just want to give suggestion,. thanks,.

Leave a Reply

Your email address will not be published.