Re: Sites requiring registration to post a comment

[prev] [thread] [next] [lurker] [Date index for 2005/03/22]

From: Chris Nandor
Subject: Re: Sites requiring registration to post a comment
Date: 22:05 on 22 Mar 2005
At 15:19 -0600 2005.03.22, Peter da Silva wrote:
>> Yes.  Trolls do it on Slashdot just to annoy the rightful user.
>
>But requiring a troll to jump through an easy hoop like that won't
>stop the troll.

It slows them down when they try to automate it with a script, which they
have done in the past.


>> We used to automatically reset the password when a new one was requested
>> ... that was just asking for abuse.  Now, we create a new password, but
>> don't activate it until it is used.
>
>That, or create a cryptographic key that can be used to reset the password.

Yes, that is another option.  Not much difference.


>If I meant "your old password" I'd say "your old password".

Yes, but what you said didn't make sense, so I tried to guess.


>> If you mean sending a new one vs. sending a link to get a new one, there's
>> not a signigicant difference between the two, that I can see.
>
>Well, the difference is that when you send the link you only actually change
>the password when the link is used, so it can't be used to DOS the account
>owner.

The same thing when sending a new one, for us.  The new password is not
active until it is used the first time, so the account owner can just
ignore the email.


>But either of them fall under "MAILTO", either are quite acceptable.

But you were talking about the password reset link as though it didn't fall
under "MAILTO."

-- 
Chris Nandor                      pudge@xxxxx.xxx    http://pudge.net/
Open Source Technology Group       pudge@xxxx.xxx     http://ostg.com/
There's stuff above here

Generated at 05:00 on 02 Apr 2005 by mariachi 0.52