Re: [Wikitech-l] E-mail login to wiki - needs feedback

19 Feb 2015


      I would rather avoid this approach, because it involves running multiple
(sometimes as many as 5) password hashing operations. The idea of our
current key stretching with bcrypt is that the strength parameter should
be just large enough to not affect UX. But if we're running the hash
many times, now we have to reduce the bcrypt strength, and as a result
reduce our defenses against other attacks.
If we just always check one email address, not only do we fulfill most
users' use cases (a single account with their email), but we avoid
adopting any complicated cryptosystem and keep our password hashing as
simple as possible.
-- 
Tyler Romeo

On 2/19/15 08:36, Daniel Friesen wrote:
> I described an alternate idea on how to avoid timing attacks without
> limiting it to one account per address.
> https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-...
>
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
>
> On 2015-02-19 5:27 AM, Tyler Romeo wrote:
>> I've said this previously, but I believe the only controversial part of
>> this change is ensuring the security and privacy of email addresses.
>>
>> All this involves is constructing a process where every login,
>> regardless of the identifier and regardless of the database state,
>> always performs one and exactly one database query and one and exactly
>> one password hashing.
>>
>> On 2/19/15 07:54, Tony Thomas wrote:
>>> Hello,
>>>
>>> Before someone starts with a proposal for the proposed-tech-project 'Allow
>>> user login with e-mail address'[1], is there still community consensus for
>>> the same ? I personally think its a must-have for MediaWiki, as e-mail
>>> address is easy to remember than a complex username. Currently multiple
>>> users can sign-up with the same e-mail id - which would possibly be a
>>> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
>>> the same.
>>>
>>> [1] https://phabricator.wikimedia.org/T30085
>>> [2]
>>> https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
>>>
>>> Thanks,
>>> Tony Thomas http://tttwrites.wordpress.com/
>>> FOSS@Amrita http://foss.amrita.ac.in
>>>
>>> *"where there is a wifi, there is a way"*
>>> _______________________________________________
>>> Wikitech-l mailing list
>>> Wikitech-l@lists.wikimedia.org
>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Re: [Wikitech-l] E-mail login to wiki - needs feedback