Hi Jane,
[note, all my uses of "password" below refer to the primary or most privileged password for a given username/website combination]
On Thu, May 10, 2012 at 3:16 AM, Jane Darnell jane023@gmail.com wrote:
It's interesting to read here that Flickr already has something like this with an upload key. I wonder how secure that is?
That's akin to an API key, not a password. Very likely can't be used by HTTP and can't be used to log in to their account.
It mitigates or maybe eliminates the risk of the user losing control of their account or leaking details from what's already stored on their account. (e.g. private pics or profile details. assuming the email interface is write only, no read interface provided)
Email is not secure. period. end of story. no need to discuss any further. (let's assume the lowest common denominator. there's a lot of poorly configured MTAs out there) If it's something that would be very bad to leak (or even something a little bad if you can manage to deliver it some other way) then email should not be used. (or should be limited somehow)
When it comes down to it, I think only experienced Wikipedians really care if their Commons passwords get compromised.
I'm ~99.996% against any possibility of supporting cleartext password authentication by sending emails. Also, If this were done by WLM (rather than as a service run by the WMF directly) then I think it would be a violation of the WMF TOS (or the new TOU). But that needs double checking. IMHO, any thoughts of transmitting cleartext passwords by email idea needs to be killed and buried and never mentioned again.
Surely there are other approaches to authentication/attribution (I've even proposed some myself in the WLM IRC channel and other people there have commented about it too), let's make some other way work.
-Jeremy