Re: Sites requiring registration to post a comment

[prev] [thread] [next] [lurker] [Date index for 2005/03/22]

From: Chris Nandor
Subject: Re: Sites requiring registration to post a comment
Date: 19:21 on 22 Mar 2005
At 14:14 +0000 2005.03.22, Earle Martin wrote:
>No, I don't want to register a FREE ACCOUNT! on your website just to post a
>fucking comment. Yes, Flickr, I'm looking at you.

My use.perl.org site requires registration to post.  And it's a good thing,
too, because it prevents a lot of comment spam, trolling, and other
undesirable things (and I know this to be true, because by accident I
enabled anonymous comments for a few months, and the amount of abuse on the
site noticably increased, which is how I found out that I had enabled
anonymous comments).

Sure, it also eliminates some good content, but it's a worthwhile tradeoff,
IMO.



At 8:24 -0600 2005.03.22, Peter da Silva wrote:
>Huh? I'm gonna spam through a password reset script?

Yes.  Trolls do it on Slashdot just to annoy the rightful user.  There are
other ways to deal with this, such as limits on how many password requests
can be made from a given IP, or for a given account, but this is one way.

We used to automatically reset the password when a new one was requested
... that was just asking for abuse.  Now, we create a new password, but
don't activate it until it is used.


>	Your question was... WHAT IS YOUR FAVORITE COLOR? [        ]
>
>Arse. What did I say for this one? Let's check my email... huh, they didn't
>send the answer in the link. Of course. OK, let's see... "bluenogreen".

Yeah, this is ridiculous.  Worse, it is often used as a means to actually
access the account, rather than to send you email providing that access,
which means there is a backdoor into your account, which means your account
is less secure.  If someone knows your favorite color/mother's maiden
name/pet's name, then they can access your account.


>	We'll send a password reset link to your registered mail address.
>
>OK. Fine. Thanks. But IT'S ONLY A WEB BOARD. MAILTO is plenty secure enough.

If you mean that you just want your old password sent to you, the problem
is that, on Slashdot, we do not KNOW your old password.  It's stored
crypt'ed.  So we can't send it to you, we can only send you a new one, or a
link to get a new one, etc.

If you mean sending a new one vs. sending a link to get a new one, there's
not a signigicant difference between the two, that I can see.


>Arse! I don't remember what tagged address I used for this board...

Yeah, that's dumb when both are required.  Either one is sufficient, user
name or email address.


>and how
>does this improve security anyway? And it's STILL JUST A FUCKING WEB BOARD!

I tend to agree, but we got a lot of complaints from people who used
private information as their password, or used the same password as other
more important sites: if we made someone's password available by accident
(as sometimes happens), then they got really angry that we exposed it
because of what else it might be used for.

So it was worthwhile to just take some extra steps to keep the password
secure, because users are stupid.

-- 
Chris Nandor                      pudge@xxxxx.xxx    http://pudge.net/
Open Source Technology Group       pudge@xxxx.xxx     http://ostg.com/
There's stuff above here

Generated at 05:00 on 02 Apr 2005 by mariachi 0.52