[prev] [thread] [next] [lurker] [Date index for 2005/03/22]
At 14:14 +0000 2005.03.22, Earle Martin wrote: >No, I don't want to register a FREE ACCOUNT! on your website just to post a >fucking comment. Yes, Flickr, I'm looking at you. My use.perl.org site requires registration to post. And it's a good thing, too, because it prevents a lot of comment spam, trolling, and other undesirable things (and I know this to be true, because by accident I enabled anonymous comments for a few months, and the amount of abuse on the site noticably increased, which is how I found out that I had enabled anonymous comments). Sure, it also eliminates some good content, but it's a worthwhile tradeoff, IMO. At 8:24 -0600 2005.03.22, Peter da Silva wrote: >Huh? I'm gonna spam through a password reset script? Yes. Trolls do it on Slashdot just to annoy the rightful user. There are other ways to deal with this, such as limits on how many password requests can be made from a given IP, or for a given account, but this is one way. We used to automatically reset the password when a new one was requested ... that was just asking for abuse. Now, we create a new password, but don't activate it until it is used. > Your question was... WHAT IS YOUR FAVORITE COLOR? [ ] > >Arse. What did I say for this one? Let's check my email... huh, they didn't >send the answer in the link. Of course. OK, let's see... "bluenogreen". Yeah, this is ridiculous. Worse, it is often used as a means to actually access the account, rather than to send you email providing that access, which means there is a backdoor into your account, which means your account is less secure. If someone knows your favorite color/mother's maiden name/pet's name, then they can access your account. > We'll send a password reset link to your registered mail address. > >OK. Fine. Thanks. But IT'S ONLY A WEB BOARD. MAILTO is plenty secure enough. If you mean that you just want your old password sent to you, the problem is that, on Slashdot, we do not KNOW your old password. It's stored crypt'ed. So we can't send it to you, we can only send you a new one, or a link to get a new one, etc. If you mean sending a new one vs. sending a link to get a new one, there's not a signigicant difference between the two, that I can see. >Arse! I don't remember what tagged address I used for this board... Yeah, that's dumb when both are required. Either one is sufficient, user name or email address. >and how >does this improve security anyway? And it's STILL JUST A FUCKING WEB BOARD! I tend to agree, but we got a lot of complaints from people who used private information as their password, or used the same password as other more important sites: if we made someone's password available by accident (as sometimes happens), then they got really angry that we exposed it because of what else it might be used for. So it was worthwhile to just take some extra steps to keep the password secure, because users are stupid. -- Chris Nandor pudge@xxxxx.xxx http://pudge.net/ Open Source Technology Group pudge@xxxx.xxx http://ostg.com/There's stuff above here
Generated at 05:00 on 02 Apr 2005 by mariachi 0.52