Walter Vermeir wrote:
Andrew Gray <shimgray@...> writes:
It strikes me that announcing in advance
"Hey, guys, a number of
accounts INCLUDING n SYSOPS have blank passwords and can easily be
taken over..", then not fixing it for a while, is a recipe for
disaster. It's not that hard to generate a list of users with admin
privileges, and presumably neither is it impossible to write a short
script to try 800 logins...
But there can not be many sysop or higher accounts with no password (I hope).
Using no password, especially when you are sysop is highly irresponsible and
those users should be de-sysoped.
When there are no accounts left that are anything else then normal users then
blank password could be enabled again for 2 weeks or so to give those users the
time to pick a password.
How can users who have no access anymore to there account regain access Brion?
Make a bugzilla ticket?
There are certainly sysops on en: who don't have email addresses entered
- should /they/ be desysopped?
There are certainly plenty of people who haven't entered email
addresses, and complain "I've lost my password, can you reset it for me"
- but how can we be sure that they are the owner of the account, if they
never entered an email address?
One solution, possibly not the best, is to force people to enter an
email address, and send an "activation token" to that address. At
present email is the only way people have of recovering passwords; we
need to either give them another way, or make email part of the signup
process.
--
Alphax -
http://en.wikipedia.org/wiki/User:Alphax
Contributor to Wikipedia, the Free Encyclopedia
"We make the internet not suck" - Jimbo Wales
Public key:
http://en.wikipedia.org/wiki/User:Alphax/OpenPGP