On Wed, Apr 4, 2012 at 5:43 PM, Petr Bena benapetr@gmail.com wrote:
I have seen there is a lot of wikis where people are concerned about inactive sysops. They managed to set up a strange rule where sysop rights are removed from inactive users to improve the security. However the sysops are allowed to request the flag to be restored anytime. This doesn't improve security even a bit as long as hacker who would get to some of inactive accounts could just post a request and get the sysop rights just as if they hacked to active user.
For this reason I think we should create a new extension auto sysop removal, which would remove the flag from all users who didn't login to system for some time, and if they logged back, the confirmation code would be sent to email, so that they could reactivate the sysop account. This would be much simpler and it would actually make hacking to sysop accounts much harder. I also believe it would be nice if system sent an email to holder of account when someone do more than 5 bad login attemps, in order to be warned that someone is likely trying to compromise their account.
What happens if the ex-sysop has lost access to their original email address .. ?