Build something that works for some subset of the use
cases first, then we
can worry about edge cases and scaling.
Before starting code, is this project have no chance to selection for
GSoC 2015? I want to attend the GSoC 2015 with this project if
available.
2015-02-21 3:00 GMT+09:00 Bryan Davis <bd808(a)wikimedia.org>rg>:
On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen
<gerard.meijssen(a)gmail.com> wrote:
Hoi,
I have been at Meta ... I do not see it, I do not understand it .. What
should I do to enable this ?
Thanks,
GerardM
This thread is basically a discussion of a proposed MediaWiki feature.
See <https://phabricator.wikimedia.org/T30085> for additional context.
On 20 February 2015 at 18:53, Bryan Davis
<bd808(a)wikimedia.org> wrote:
On Fri, Feb 20, 2015 at 9:52 AM, devunt
<devunt(a)gmail.com> wrote:
We should consider some edge cases like:
* More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe
account selector could be one of the answers.
* If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will
takes _very_ long time as enough to cause gateway timeout. Which means
nobody can log in to that account.
-> To avoid timing attack completely, should mediawiki calculate hash
of all users forty two times as same as above user?
Minimum viable product assumption:
Given that authentication is attempted with an (email, password) pair
When more than one account matches email
Then perform one data load and hash comparison to mitigate timing attacks
and fail authentication attempt
A community education campaign could easily be launched to notify
users that this invariant will hold for email based authentication and
give instructions on how to change the email associated with an
account. The target audience for email based authentication (newer
users who think of email addresses as durable tokens of their
identity) will not be likely to be effected or even aware of the
multiple account disambiguation problem.
Bryan
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l