Re: Sites requiring registration to post a comment

[prev] [thread] [next] [lurker] [Date index for 2005/03/22]

From: peter (Peter da Silva)
Subject: Re: Sites requiring registration to post a comment
Date: 21:19 on 22 Mar 2005

> My use.perl.org site requires registration to post.  And it's a good thing,
> too, because it prevents a lot of comment spam, trolling, and other
> undesirable things (and I know this to be true, because by accident I
> enabled anonymous comments for a few months, and the amount of abuse on the
> site noticably increased, which is how I found out that I had enabled
> anonymous comments).

If your website is valuable and important enough to people, then you can do
that. But for flickr, or randomfansite.com?

> At 8:24 -0600 2005.03.22, Peter da Silva wrote:
> >Huh? I'm gonna spam through a password reset script?

> Yes.  Trolls do it on Slashdot just to annoy the rightful user.

But requiring a troll to jump through an easy hoop like that won't
stop the troll.

> We used to automatically reset the password when a new one was requested
> ... that was just asking for abuse.  Now, we create a new password, but
> don't activate it until it is used.

That, or create a cryptographic key that can be used to reset the password.

> >	We'll send a password reset link to your registered mail address.

> >OK. Fine. Thanks. But IT'S ONLY A WEB BOARD. MAILTO is plenty secure enough.

> If you mean that you just want your old password sent to you,

No.

> the problem is that, on Slashdot, we do not KNOW your old password.

If I meant "your old password" I'd say "your old password".

A "password reset link" means just that. A link that you can follow or a
message you can reply to that resets your password or otherwise gives you
control when you reply/follow.

> If you mean sending a new one vs. sending a link to get a new one, there's
> not a signigicant difference between the two, that I can see.

Well, the difference is that when you send the link you only actually change
the password when the link is used, so it can't be used to DOS the account
owner. But either of them fall under "MAILTO", either are quite acceptable.

There's stuff above here

Chris Nandor 19:21 on 22 Mar 2005
- Abigail 20:09 on 22 Mar 2005
  - Chris Nandor 20:57 on 22 Mar 2005
    - too deep to show
- peter (Peter da Silva) 21:19 on 22 Mar 2005
  - Chris Nandor 22:05 on 22 Mar 2005
    - too deep to show
  - Yoz Grahame 00:09 on 23 Mar 2005

Generated at 05:00 on 02 Apr 2005 by mariachi 0.52