Jaremy / WLM,
We definitely want to discourage the emailing around of passwords! It is a violation of our TOU [1], and a bad idea in general.
I'm heading up the OAuth development effort currently. We're in the planning phase right now, but plan to have it implemented this summer. This is what many sites (including Flickr) have implemented to allow their users to grant another application access to a certain function, but not share full access to their account. The OAuth token is like a valet key-- it only allows the application to perform particular functions (like upload a file) on your behalf, and it can be revoked at any time.
I hate to stifle innovation-- hopefully it can either wait until we get oauth finished, or we can find another way.
Chris
[1] http://wikimediafoundation.org/wiki/Terms_of_Use_(2012)/en#5._Password_Secur...
On Thu, May 10, 2012 at 12:59 AM, Jeremy Baron jeremy@tuxmachine.comwrote:
Hi Jane,
[note, all my uses of "password" below refer to the primary or most privileged password for a given username/website combination]
On Thu, May 10, 2012 at 3:16 AM, Jane Darnell jane023@gmail.com wrote:
It's interesting to read here that Flickr already has something like this with an upload key. I wonder how secure that is?
That's akin to an API key, not a password. Very likely can't be used by HTTP and can't be used to log in to their account.
It mitigates or maybe eliminates the risk of the user losing control of their account or leaking details from what's already stored on their account. (e.g. private pics or profile details. assuming the email interface is write only, no read interface provided)
Email is not secure. period. end of story. no need to discuss any further. (let's assume the lowest common denominator. there's a lot of poorly configured MTAs out there) If it's something that would be very bad to leak (or even something a little bad if you can manage to deliver it some other way) then email should not be used. (or should be limited somehow)
When it comes down to it, I think only experienced Wikipedians really care if their Commons passwords get compromised.
I'm ~99.996% against any possibility of supporting cleartext password authentication by sending emails. Also, If this were done by WLM (rather than as a service run by the WMF directly) then I think it would be a violation of the WMF TOS (or the new TOU). But that needs double checking. IMHO, any thoughts of transmitting cleartext passwords by email idea needs to be killed and buried and never mentioned again.
Surely there are other approaches to authentication/attribution (I've even proposed some myself in the WLM IRC channel and other people there have commented about it too), let's make some other way work.
-Jeremy