I would rather avoid this approach, because it involves running multiple
(sometimes as many as 5) password hashing operations. The idea of our
current key stretching with bcrypt is that the strength parameter should
be just large enough to not affect UX. But if we're running the hash
many times, now we have to reduce the bcrypt strength, and as a result
reduce our defenses against other attacks.
If we just always check one email address, not only do we fulfill most
users' use cases (a single account with their email), but we avoid
adopting any complicated cryptosystem and keep our password hashing as
simple as possible.
--
Tyler Romeo
On 2/19/15 08:36, Daniel Friesen wrote:
> I described an alternate idea on how to avoid timing attacks without
> limiting it to one account per address.
>
https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-...
>
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
>
> On 2015-02-19 5:27 AM, Tyler Romeo wrote:
>> I've said this previously, but I believe the only controversial part of
>> this change is ensuring the security and privacy of email addresses.
>>
>> All this involves is constructing a process where every login,
>> regardless of the identifier and regardless of the database state,
>> always performs one and exactly one database query and one and exactly
>> one password hashing.
>>
>> On 2/19/15 07:54, Tony Thomas wrote:
>>> Hello,
>>>
>>> Before someone starts with a proposal for the proposed-tech-project 'Allow
>>> user login with e-mail address'[1], is there still community consensus for
>>> the same ? I personally think its a must-have for MediaWiki, as e-mail
>>> address is easy to remember than a complex username. Currently multiple
>>> users can sign-up with the same e-mail id - which would possibly be a
>>> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
>>> the same.
>>>
>>> [1]
https://phabricator.wikimedia.org/T30085
>>> [2]
>>>
https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
>>>
>>> Thanks,
>>> Tony Thomas
http://tttwrites.wordpress.com/
>>> FOSS@Amrita
http://foss.amrita.ac.in
>>>
>>> *"where there is a wifi, there is a way"*
>>> _______________________________________________
>>> Wikitech-l mailing list
>>> Wikitech-l@lists.wikimedia.org
>>>
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l@lists.wikimedia.org
>>
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
>
https://lists.wikimedia.org/mailman/listinfo/wikitech-l