On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen gerard.meijssen@gmail.com wrote:
Hoi, I have been at Meta ... I do not see it, I do not understand it .. What should I do to enable this ? Thanks, GerardM
This thread is basically a discussion of a proposed MediaWiki feature. See https://phabricator.wikimedia.org/T30085 for additional context.
On 20 February 2015 at 18:53, Bryan Davis bd808@wikimedia.org wrote:
On Fri, Feb 20, 2015 at 9:52 AM, devunt devunt@gmail.com wrote:
We should consider some edge cases like:
- More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe account selector could be one of the answers.
- If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will takes _very_ long time as enough to cause gateway timeout. Which means nobody can log in to that account. -> To avoid timing attack completely, should mediawiki calculate hash of all users forty two times as same as above user?
Minimum viable product assumption:
Given that authentication is attempted with an (email, password) pair When more than one account matches email Then perform one data load and hash comparison to mitigate timing attacks and fail authentication attempt
A community education campaign could easily be launched to notify users that this invariant will hold for email based authentication and give instructions on how to change the email associated with an account. The target audience for email based authentication (newer users who think of email addresses as durable tokens of their identity) will not be likely to be effected or even aware of the multiple account disambiguation problem.
Bryan
Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l