I described an alternate idea on how to avoid timing
attacks without
limiting it to one account per address.
I've said this previously, but I believe the
only controversial part of
this change is ensuring the security and privacy of email addresses.
All this involves is constructing a process where every login,
regardless of the identifier and regardless of the database state,
always performs one and exactly one database query and one and exactly
one password hashing.
On 2/19/15 07:54, Tony Thomas wrote:
Hello,
Before someone starts with a proposal for the proposed-tech-project 'Allow
user login with e-mail address'[1], is there still community consensus for
the same ? I personally think its a must-have for MediaWiki, as e-mail
address is easy to remember than a complex username. Currently multiple
users can sign-up with the same e-mail id - which would possibly be a
blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
the same.
[1]
https://phabricator.wikimedia.org/T30085
[2]
https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
Thanks,
Tony Thomas <http://tttwrites.wordpress.com/>
FOSS@Amrita <http://foss.amrita.ac.in>
*"where there is a wifi, there is a way"*
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org