I and others have expressed dismay at the fact that the wikipedia database contains plain text user passwords. This would be very easy to fix in the new codebase, but there are several options on how to handle it, some of which are feature changes that ought to be discussed by the list at large.
The intended functionality (and what should be the current functionality of http://www.piclab.com/newwiki/wiki.phtml) is this: new users are created by looking up the name; if the name doesn't already exist, the user is created with the password specified. The user can then log in with that name and password at any time. Logged in status is maintained thoughout a session. If the user has the "remember my password" option turned on, he is logged in even after closing the browser and restarting later. The login form has a button for those who have forgotten their password. If they have entered an email address for their account, their password can be sent to that address (in plain text). This "email password" function is tricky to do without plain text passwords in the database. A user can change his own password at anytime.
As I see it there are three options:
(1) Eliminate the "email my password" feature. This would require people who forgot their passwords either to create new user accounts, or aking an administrator to clear their password (which will be made an option available to administrators). Passwords in the database will then be encrypted.
(2) Change the feature to "email me a new password". Passwords will be encrypted, and when the user forgets his, the system will create a new random password and email _that_. The user will then log and change his password (hopefully to something he can remember).
Plaintext passwords won't exist anywhwere with options 1 or 2--this is the most secure.
(3) Keep the full existing functionality by creating a "shadow" password table with plain text passwords that not even administrators can access (but that a few folks like Jimbo can). This complicates administration, and also might add some latency to functions like creating accounts and changing passwords, but probably not to the basic login. This is the simplest from the user's point of view.
So let me ask the group: is the functionality of sending a plaintext password over email useful enough to justify some extra administration? Is security that important? (There's nothing sensitive in the user table, but people do tend to re-use passwords for several things, so having plain text passwords lying around is probably not a good idea). Which option do you think is best? 0
On mar, 2002-05-28 at 12:49, lcrocker@nupedia.com wrote:
The intended functionality (and what should be the current functionality of http://www.piclab.com/newwiki/wiki.phtml) is this:
...
If they have entered an email address for their account, their password can be sent to that address (in plain text).
!?
As I see it there are three options:
...
(2) Change the feature to "email me a new password". Passwords will be encrypted, and when the user forgets his, the system will create a new random password and email _that_. The user will then log and change his password (hopefully to something he can remember).
I rather thought that's what was meant by "email my password"... E-mailing the *existing unchanged* password strikes me as a highly unusual practice.
-- brion vibber (brion @ pobox.com)
On 5/28/02 4:00 PM, "Brion L. VIBBER" brion@pobox.com wrote:
I rather thought that's what was meant by "email my password"... E-mailing the *existing unchanged* password strikes me as a highly unusual practice.
It's really not that strange, and for low-security situations, such as this, it wouldn't be at all bad if people didn't have the habit of using the same password for everything. But they do. So it's not so good.
I would vote for the "email me a new password" option but we should probably put up a warning anyway that we don't use secure connections so people shouldn't use highly safety-critical passwords. Having said that I still feel we should make it hard to get to these passwords in case some edit-wars get ugly.
-- Jan Hidders
lcrocker@nupedia.com wrote:
(2) Change the feature to "email me a new password". Passwords will be encrypted, and when the user forgets his, the system will create a new random password and email _that_. The user will then log and change his password (hopefully to something he can remember).
Plaintext passwords won't exist anywhwere with options 1 or 2--this is the most secure.
The slashdot software does something similar to this. Here's something to think about.
Each account should have a field for 'password' (encrypted, of course) and 'new password' (encrypted, of course). When a new password is requested, it is sent out (unencrypted) and stored (encrypted) in the 'new password' field. But the old password can be untouched and still functional until the new password is used, at which time it is copied to the 'password' field.
The point of these steps is to prevent a certain kind of denial-of-service attack. If I don't like you, maybe I'll just sit here requesting a new password for you, over and over, thus forcing you to be logged out over and over.
But if the old password continues to work, then all the repeated requests do is barrage you with annoying email -- this email should identify the ip number of the person clicking on 'send a new password'.
--Jimbo
wikipedia-l@lists.wikimedia.org