I described an alternate idea on how to avoid timing attacks without limiting it to one account per address. https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-...
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On 2015-02-19 5:27 AM, Tyler Romeo wrote:
I've said this previously, but I believe the only controversial part of this change is ensuring the security and privacy of email addresses.
All this involves is constructing a process where every login, regardless of the identifier and regardless of the database state, always performs one and exactly one database query and one and exactly one password hashing.
On 2/19/15 07:54, Tony Thomas wrote:
Hello,
Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same.
[1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in
*"where there is a wifi, there is a way"* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l