On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen
<gerard.meijssen(a)gmail.com> wrote:
Hoi,
I have been at Meta ... I do not see it, I do not understand it .. What
should I do to enable this ?
Thanks,
GerardM
This thread is basically a discussion of a proposed MediaWiki feature.
See <https://phabricator.wikimedia.org/T30085> for additional context.
On 20 February 2015 at 18:53, Bryan Davis
<bd808(a)wikimedia.org> wrote:
On Fri, Feb 20, 2015 at 9:52 AM, devunt
<devunt(a)gmail.com> wrote:
We should consider some edge cases like:
* More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe
account selector could be one of the answers.
* If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will
takes _very_ long time as enough to cause gateway timeout. Which means
nobody can log in to that account.
-> To avoid timing attack completely, should mediawiki calculate hash
of all users forty two times as same as above user?
Minimum viable product assumption:
Given that authentication is attempted with an (email, password) pair
When more than one account matches email
Then perform one data load and hash comparison to mitigate timing attacks
and fail authentication attempt
A community education campaign could easily be launched to notify
users that this invariant will hold for email based authentication and
give instructions on how to change the email associated with an
account. The target audience for email based authentication (newer
users who think of email addresses as durable tokens of their
identity) will not be likely to be effected or even aware of the
multiple account disambiguation problem.
Bryan
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855