Hello,
Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same.
[1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in
*"where there is a wifi, there is a way"*
I've said this previously, but I believe the only controversial part of this change is ensuring the security and privacy of email addresses.
All this involves is constructing a process where every login, regardless of the identifier and regardless of the database state, always performs one and exactly one database query and one and exactly one password hashing.
On 2/19/15 07:54, Tony Thomas wrote:
Hello,
Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same.
[1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in
*"where there is a wifi, there is a way"* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I described an alternate idea on how to avoid timing attacks without limiting it to one account per address. https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-...
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On 2015-02-19 5:27 AM, Tyler Romeo wrote:
I've said this previously, but I believe the only controversial part of this change is ensuring the security and privacy of email addresses.
All this involves is constructing a process where every login, regardless of the identifier and regardless of the database state, always performs one and exactly one database query and one and exactly one password hashing.
On 2/19/15 07:54, Tony Thomas wrote:
Hello,
Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same.
[1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in
*"where there is a wifi, there is a way"* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I would rather avoid this approach, because it involves running multiple (sometimes as many as 5) password hashing operations. The idea of our current key stretching with bcrypt is that the strength parameter should be just large enough to not affect UX. But if we're running the hash many times, now we have to reduce the bcrypt strength, and as a result reduce our defenses against other attacks.
If we just always check one email address, not only do we fulfill most users' use cases (a single account with their email), but we avoid adopting any complicated cryptosystem and keep our password hashing as simple as possible.
Tony Thomas wrote:
Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. [...]
Hi.
Yes, I believe there's consensus to implement this feature. It's incredibly common practice on the Web to allow login via e-mail address. MediaWiki fortunately already supports storing and authenticating e-mail addresses, so the work to allow login via e-mail address hopefully shouldn't be too difficult. The tricky parts are that e-mail addresses are considered private information and there's no requirement that e-mail addresses be unique in the user table.
As you mention, there are many instances of multiple users using the same e-mail address. As part of a first iteration, we'd likely simply disallow login via e-mail address for the ambiguous cases. In a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use.
This account selector may also one day tie in with the idea of having an account switcher (i.e., the ability to easily switch between multiple accounts without needing to log out and re-authenticate). However, these are tangential features that quickly start to get a lot more complicated when you consider single user login and its cross-domain magic, login sessions, cookies, etc.
MZMcBride
On 15-02-19 09:27 AM, MZMcBride wrote:
n a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use.
That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who controls it today.
It would also have horrid security implication if you allow further creation of accounts sharing an email (which would be necessary to make that feature useful): create an account with the email of someone you want to find the Wikimedia account of, log in, be presented with the accounts.
-- Marc
Marc A. Pelletier wrote:
On 15-02-19 09:27 AM, MZMcBride wrote:
In a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use.
That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who controls it today.
My understanding is that this intermediate screen would only trigger if an account is using both the same verified e-mail address _and_ the same password. I don't believe there's any privilege escalation or privacy concern to allow users to login to multiple accounts that share an e-mail address (considered private/secret) and that share a password, which are the two inputs we'd be accepting during user login.
It's checking multiple passwords that starts to introduce a lot more concerns about timing attacks, as I understand it. This is a hard problem, as we typically want password verification to be relatively slow.
That said, these types of concerns that you're raising are fantastic to consider and discuss (thank you!). I think we need a lot of scrutiny in this area to ensure that we implement a sane, secure solution.
It would also have horrid security implication if you allow further creation of accounts sharing an email (which would be necessary to make that feature useful): create an account with the email of someone you want to find the Wikimedia account of, log in, be presented with the accounts.
Same as above, I think. :-)
MZMcBride
On Thu, Feb 19, 2015 at 6:44 AM, Marc A. Pelletier marc@uberbox.org wrote:
That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who controls it today.
Not that precedent makes it right, but this is possible already with password reset. We assume that if you control x@y, you are entitled to control any accounts with a confirmed email of x@y.
It would also have horrid security implication if you allow further creation of accounts sharing an email (which would be necessary to make that feature useful): create an account with the email of someone you want to find the Wikimedia account of, log in, be presented with the accounts.
If it's limited to accounts with a confirmed email, and the passwords all match, then this isn't an issue (unless I'm misunderstanding your concern). As an attacker, I can't confirm the email of my victim for my account, and it's unlikely that I can set the same password (otherwise I'd just login as them).
But those requirements do require hashing the password per user, which does leak timing information when we run this in php with our current password system-- maybe we can find a service to do all the hashing in parallel. But to start, just not allowing that case would cover the 90% (99.9% probably) use case.
2015-02-19 13:54 GMT+01:00 Tony Thomas 01tonythomas@gmail.com:
I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username.
I think everybody has the chance to choose as simple username as they can remember. It's not nuclear physics or cerebral surgery. Where am I wrong?
Bináris wrote:
2015-02-19 13:54 GMT+01:00 Tony Thomas 01tonythomas@gmail.com:
I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username.
I think everybody has the chance to choose as simple username as they can remember. It's not nuclear physics or cerebral surgery. Where am I wrong?
It's not a matter of choosing a single, simple user name, per se, it's choosing a user name on Wikimedia wikis, on Twitter, on Facebook, on Gmail, on GitHub, and on a million other sites on the Web. Yes, users should choose memorable user names and secure passwords on each site and never forget them, but that isn't the world we live in. We dramatically reduce our barrier to entry by allowing login via e-mail address as users can typically remember their own e-mail address. Do you disagree?
MediaWiki not only currently disallows login via e-mail address, login is case-sensitive (e.g., "MZ" and "Mz" can be different users). In your experience, is MediaWiki's current authentication architecture following common or best practices? I personally think there's a lot of work needed.
MZMcBride
Note: As the assignee of T30085 and also as main contributor of RfC, I'll create a patch when proper consensus completed.
On 19/02/15 16:15, MZMcBride wrote:
It's not a matter of choosing a single, simple user name, per se, it's choosing a user name on Wikimedia wikis, on Twitter, on Facebook, on Gmail, on GitHub, and on a million other sites on the Web. Yes, users should choose memorable user names and secure passwords on each site and never forget them, but that isn't the world we live in. We dramatically reduce our barrier to entry by allowing login via e-mail address as users can typically remember their own e-mail address. Do you disagree?
MediaWiki not only currently disallows login via e-mail address, login is case-sensitive (e.g., "MZ" and "Mz" can be different users). In your experience, is MediaWiki's current authentication architecture following common or best practices? I personally think there's a lot of work needed.
MZMcBride
Emails are case-sensitive as well. platonides@gmail is different than Platonides@gmail and different than PLATONIDES@gmail (for everybody but gmail). (cf. T76169, T75818, T85137)
PS: Some people indeed can't remember their own email address.
On Thursday, February 19, 2015, Tony Thomas 01tonythomas@gmail.com wrote:
I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username.
It's also important because users of mobile devices are very used to this design pattern for logging in to apps, and having it in the mobile apps is blocked by not having it in MediaWiki.
Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed.
I wouldn't even try to tackle that problem for a first pass at this.
If we can get login with username working for the case where there is a one-to-one match between email and password, that's a *huge* step forwards. The many-to-one case can follow afterwards.
Dan
Hi all,
I'm the one who started that bug-now-task a while back, and for context, it was based directly on user feedback. What MzM says above is right. I was working with a casual (but quite good) editor who said to me "well, I'd edit that Wikipedia page, but I don't edit very often and I can never remember what my login is, since my usual login was taken. But if I could enter my email address, it would be a lot easier and I'd be more likely to just do it."
Struck by the idea that this was a barrier to editing, I asked around and got similar feedback from other people, for both public and private mediawikis. So I submitted the bug for consideration. I know it's difficult and there's been a lot of discussion on how to technically do it, but I think the underlying need definitely still exists.
thanks, Phoebe
On Thu, Feb 19, 2015 at 4:54 AM, Tony Thomas 01tonythomas@gmail.com wrote:
Hello,
Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same.
[1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in
*"where there is a wifi, there is a way"* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
We should consider some edge cases like:
* More than two accounts with exactly same email and password. -> In this case, which account should be chosen for logged-in? Maybe account selector could be one of the answers.
* If there's a 42 accounts with same email. -> Should mediawiki try to check password forty two times? It will takes _very_ long time as enough to cause gateway timeout. Which means nobody can log in to that account. -> To avoid timing attack completely, should mediawiki calculate hash of all users forty two times as same as above user?
2015-02-20 8:58 GMT+09:00 phoebe ayers phoebe.wiki@gmail.com:
Hi all,
I'm the one who started that bug-now-task a while back, and for context, it was based directly on user feedback. What MzM says above is right. I was working with a casual (but quite good) editor who said to me "well, I'd edit that Wikipedia page, but I don't edit very often and I can never remember what my login is, since my usual login was taken. But if I could enter my email address, it would be a lot easier and I'd be more likely to just do it."
Struck by the idea that this was a barrier to editing, I asked around and got similar feedback from other people, for both public and private mediawikis. So I submitted the bug for consideration. I know it's difficult and there's been a lot of discussion on how to technically do it, but I think the underlying need definitely still exists.
thanks, Phoebe
On Thu, Feb 19, 2015 at 4:54 AM, Tony Thomas 01tonythomas@gmail.com wrote:
Hello,
Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same.
[1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in
*"where there is a wifi, there is a way"* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
--
- I use this address for lists; send personal messages to phoebe.ayers
<at> gmail.com *
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 20 February 2015 at 08:52, devunt devunt@gmail.com wrote:
We should consider some edge cases like:
I disagree.
This is not an easy problem. We know that. The reason there's been so much talk and so little action on this because we insist on repeating all the reasons why this is hard every time this point is raised, and everyone gets put off.
Build something that works for some subset of the use cases first, then we can worry about edge cases and scaling.
Dan
IMO we should strongly discourage use of multiple accounts with the same email to the point of forbidding it in software for new accounts.[1]
Figuring out how to migrate those old accounts is something that needs to be considered and worked out, but it shouldn't hold up work on making the login/reset form accept email addresses for the common case.
[1] I personally have a bunch of test accounts that probably have the same email, and I'm sure some folks have bots and other things set up similarly. Note that many email providers including Gmail allow email aliases with "+" and something else after your mailbox name, such as 'johndoe+testing99 at wikimedia.org'; I've used this in the past to have separate accounts on one email for Apple and other providers as well.
-- brion
On Fri, Feb 20, 2015 at 9:06 AM, Dan Garry dgarry@wikimedia.org wrote:
On 20 February 2015 at 08:52, devunt devunt@gmail.com wrote:
We should consider some edge cases like:
I disagree.
This is not an easy problem. We know that. The reason there's been so much talk and so little action on this because we insist on repeating all the reasons why this is hard every time this point is raised, and everyone gets put off.
Build something that works for some subset of the use cases first, then we can worry about edge cases and scaling.
Dan
-- Dan Garry Associate Product Manager, Mobile Apps Wikimedia Foundation _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 20/02/15 17:28, Brion Vibber wrote:
IMO we should strongly discourage use of multiple accounts with the same email to the point of forbidding it in software for new accounts.[1]
Figuring out how to migrate those old accounts is something that needs to be considered and worked out, but it shouldn't hold up work on making the login/reset form accept email addresses for the common case.
[1] I personally have a bunch of test accounts that probably have the same email, and I'm sure some folks have bots and other things set up similarly. Note that many email providers including Gmail allow email aliases with "+" and something else after your mailbox name, such as 'johndoe+testing99 at wikimedia.org'; I've used this in the past to have separate accounts on one email for Apple and other providers as well.
-- brion
Please see https://en.wikipedia.org/wiki/Wikipedia:Sock_puppetry#Legitimate_uses for a non-comprehensive list of use cases for alternate accounts. Requiring separate emails, or expecting users to know that particular trick, would be problematic for many of these, and may even encourage some users to not use an email address at all.
-I
Another alternative is to explicitly support multiple usernames under an umbrella backend account... (Anybody remember AOL screen names? BLAST FROM THE PAST)
I don't know whether that's something to encourage, but it would simplify those cases.
-- brion
On Fri, Feb 20, 2015 at 10:45 AM, Isarra Yos zhorishna@gmail.com wrote:
On 20/02/15 17:28, Brion Vibber wrote:
IMO we should strongly discourage use of multiple accounts with the same email to the point of forbidding it in software for new accounts.[1]
Figuring out how to migrate those old accounts is something that needs to be considered and worked out, but it shouldn't hold up work on making the login/reset form accept email addresses for the common case.
[1] I personally have a bunch of test accounts that probably have the same email, and I'm sure some folks have bots and other things set up similarly. Note that many email providers including Gmail allow email aliases with "+" and something else after your mailbox name, such as 'johndoe+testing99 at wikimedia.org'; I've used this in the past to have separate accounts on one email for Apple and other providers as well.
-- brion
Please see https://en.wikipedia.org/wiki/Wikipedia:Sock_puppetry# Legitimate_uses for a non-comprehensive list of use cases for alternate accounts. Requiring separate emails, or expecting users to know that particular trick, would be problematic for many of these, and may even encourage some users to not use an email address at all.
-I
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Another alternative is to explicitly support multiple usernames under an umbrella backend account... (Anybody remember AOL screen names? BLAST FROM THE PAST)
Making umbrella backend account could be one of the answers. But implementation of umbrella backend account requires massive user/authentication code updates, table schema changes and massive auto account merges(which accounts have same emails) than other ways. Anyway I think umbrella idea is the most nice one.
2015-02-21 3:51 GMT+09:00 Brion Vibber bvibber@wikimedia.org:
Another alternative is to explicitly support multiple usernames under an umbrella backend account... (Anybody remember AOL screen names? BLAST FROM THE PAST)
I don't know whether that's something to encourage, but it would simplify those cases.
-- brion
On Fri, Feb 20, 2015 at 10:45 AM, Isarra Yos zhorishna@gmail.com wrote:
On 20/02/15 17:28, Brion Vibber wrote:
IMO we should strongly discourage use of multiple accounts with the same email to the point of forbidding it in software for new accounts.[1]
Figuring out how to migrate those old accounts is something that needs to be considered and worked out, but it shouldn't hold up work on making the login/reset form accept email addresses for the common case.
[1] I personally have a bunch of test accounts that probably have the same email, and I'm sure some folks have bots and other things set up similarly. Note that many email providers including Gmail allow email aliases with "+" and something else after your mailbox name, such as 'johndoe+testing99 at wikimedia.org'; I've used this in the past to have separate accounts on one email for Apple and other providers as well.
-- brion
Please see https://en.wikipedia.org/wiki/Wikipedia:Sock_puppetry# Legitimate_uses for a non-comprehensive list of use cases for alternate accounts. Requiring separate emails, or expecting users to know that particular trick, would be problematic for many of these, and may even encourage some users to not use an email address at all.
-I
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Feb 20, 2015 at 10:51 AM, Brion Vibber bvibber@wikimedia.org wrote:
Another alternative is to explicitly support multiple usernames under an umbrella backend account... (Anybody remember AOL screen names? BLAST FROM THE PAST)
Or just add a "this is my primary account" flag, which, when set, clears the same flag from all other accounts with the same email. If we require email confirmation for setting it, that would even take care of concerns about email addresses changing hands over time.
Il 20/02/2015 22:29, Gergo Tisza ha scritto:
On Fri, Feb 20, 2015 at 10:51 AM, Brion Vibber bvibber@wikimedia.org wrote:
Another alternative is to explicitly support multiple usernames under an umbrella backend account... (Anybody remember AOL screen names? BLAST FROM THE PAST)
Or just add a "this is my primary account" flag, which, when set, clears the same flag from all other accounts with the same email. If we require email confirmation for setting it, that would even take care of concerns about email addresses changing hands over time.
I proposed something like that a couple months ago [1]
[1] https://lists.wikimedia.org/pipermail/wikitech-l/2014-December/079831.html
Gergo Tisza wrote:
On Fri, Feb 20, 2015 at 10:51 AM, Brion Vibber bvibber@wikimedia.org wrote:
Another alternative is to explicitly support multiple usernames under an umbrella backend account... (Anybody remember AOL screen names? BLAST FROM THE PAST)
Or just add a "this is my primary account" flag, which, when set, clears the same flag from all other accounts with the same email. If we require email confirmation for setting it, that would even take care of concerns about email addresses changing hands over time.
Yep, this is certainly a possibility. It would be great if you and others would edit https://www.mediawiki.org/wiki/RFC/Login_via_e-mail_address or at least drop a note on the talk page so that we can consider and address the issues here to come up with clean, secure, and sane solutions.
devunt wrote:
Build something that works for some subset of the use cases first, then we can worry about edge cases and scaling.
Before starting code, is this project have no chance to selection for GSoC 2015? I want to attend the GSoC 2015 with this project if available.
If this project means basic support for login via e-mail address in MediaWiki, I think there's consensus to implement this feature and it would likely make for a good Google Summer of Code project. However, if the project scope increases to include more than just basic support for login via e-mail address, it's probably not a great candidate for GSoC.
MZMcBride
Hi.
Brion Vibber wrote:
IMO we should strongly discourage use of multiple accounts with the same email to the point of forbidding it in software for new accounts.[1]
MediaWiki currently has constraints requiring that user IDs and user names be unique. Why make user e-mail addresses unique? As you note, it's a fairly low bar for users to bypass such a constraint and there are use-cases for allowing multiple accounts to share an e-mail address.
Figuring out how to migrate those old accounts is something that needs to be considered and worked out, but it shouldn't hold up work on making the login/reset form accept email addresses for the common case.
I believe password reset via e-mail address is already implemented. :-)
[1] I personally have a bunch of test accounts that probably have the same email, and I'm sure some folks have bots and other things set up similarly. Note that many email providers including Gmail allow email aliases with "+" and something else after your mailbox name, such as 'johndoe+testing99 at wikimedia.org'; I've used this in the past to have separate accounts on one email for Apple and other providers as well.
It's probably difficult to estimate, but I wonder what percentage of users are currently using a mail provider that supports this type of behavior. On the one hand, I thought Gmail/Google Apps was alone in supporting account+something@example.com functionality, but on the other hand, nearly everybody seems to be using Gmail/Google Apps these days.
I also wonder how many users would be affected by making e-mail addresses unique on a large wiki. That is, how many instances are there of two or more accounts using the same confirmed e-mail address on the German or French or English Wikipedia? We should be able to query this information, which I think would provide useful context and understanding.
MZMcBride
On Fri, Feb 20, 2015 at 11:45 PM, MZMcBride z@mzmcbride.com wrote:
Hi.
Brion Vibber wrote:
I personally have a bunch of test accounts that probably have the same email, and I'm sure some folks have bots and other things set up similarly. Note that many email providers including Gmail allow email aliases with "+" and something else after your mailbox name, such as 'johndoe+testing99 at wikimedia.org'; I've used this in the past to have separate accounts on one email for Apple and other providers as well.
It's probably difficult to estimate, but I wonder what percentage of users are currently using a mail provider that supports this type of behavior. On the one hand, I thought Gmail/Google Apps was alone in supporting account+something@example.com functionality, but on the other hand, nearly everybody seems to be using Gmail/Google Apps these days.
RFC 5321 says that interpretation and validation of the local part of an email address is left entirely to the receiving host [0] which makes verifying which hosts support various "subaddressing" methods [1] difficult. As mentioned in [[en:Email address]] [2] however there are quite a few large mail services and common mail transfer agent packages support some type of subaddressing or tagging although with various syntax variations.
[0]: https://tools.ietf.org/html/rfc5321#section-2.3.11 [1]: https://tools.ietf.org/html/rfc5233 [2]: https://en.wikipedia.org/wiki/Email_address#Address_tags
Bryan
On Fri, Feb 20, 2015 at 9:52 AM, devunt devunt@gmail.com wrote:
We should consider some edge cases like:
- More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe account selector could be one of the answers.
- If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will takes _very_ long time as enough to cause gateway timeout. Which means nobody can log in to that account. -> To avoid timing attack completely, should mediawiki calculate hash of all users forty two times as same as above user?
Minimum viable product assumption:
Given that authentication is attempted with an (email, password) pair When more than one account matches email Then perform one data load and hash comparison to mitigate timing attacks and fail authentication attempt
A community education campaign could easily be launched to notify users that this invariant will hold for email based authentication and give instructions on how to change the email associated with an account. The target audience for email based authentication (newer users who think of email addresses as durable tokens of their identity) will not be likely to be effected or even aware of the multiple account disambiguation problem.
Bryan
Hoi, I have been at Meta ... I do not see it, I do not understand it .. What should I do to enable this ? Thanks, GerardM
On 20 February 2015 at 18:53, Bryan Davis bd808@wikimedia.org wrote:
On Fri, Feb 20, 2015 at 9:52 AM, devunt devunt@gmail.com wrote:
We should consider some edge cases like:
- More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe account selector could be one of the answers.
- If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will takes _very_ long time as enough to cause gateway timeout. Which means nobody can log in to that account. -> To avoid timing attack completely, should mediawiki calculate hash of all users forty two times as same as above user?
Minimum viable product assumption:
Given that authentication is attempted with an (email, password) pair When more than one account matches email Then perform one data load and hash comparison to mitigate timing attacks and fail authentication attempt
A community education campaign could easily be launched to notify users that this invariant will hold for email based authentication and give instructions on how to change the email associated with an account. The target audience for email based authentication (newer users who think of email addresses as durable tokens of their identity) will not be likely to be effected or even aware of the multiple account disambiguation problem.
Bryan
Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen gerard.meijssen@gmail.com wrote:
Hoi, I have been at Meta ... I do not see it, I do not understand it .. What should I do to enable this ? Thanks, GerardM
This thread is basically a discussion of a proposed MediaWiki feature. See https://phabricator.wikimedia.org/T30085 for additional context.
On 20 February 2015 at 18:53, Bryan Davis bd808@wikimedia.org wrote:
On Fri, Feb 20, 2015 at 9:52 AM, devunt devunt@gmail.com wrote:
We should consider some edge cases like:
- More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe account selector could be one of the answers.
- If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will takes _very_ long time as enough to cause gateway timeout. Which means nobody can log in to that account. -> To avoid timing attack completely, should mediawiki calculate hash of all users forty two times as same as above user?
Minimum viable product assumption:
Given that authentication is attempted with an (email, password) pair When more than one account matches email Then perform one data load and hash comparison to mitigate timing attacks and fail authentication attempt
A community education campaign could easily be launched to notify users that this invariant will hold for email based authentication and give instructions on how to change the email associated with an account. The target audience for email based authentication (newer users who think of email addresses as durable tokens of their identity) will not be likely to be effected or even aware of the multiple account disambiguation problem.
Bryan
Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Build something that works for some subset of the use cases first, then we can worry about edge cases and scaling.
Before starting code, is this project have no chance to selection for GSoC 2015? I want to attend the GSoC 2015 with this project if available.
2015-02-21 3:00 GMT+09:00 Bryan Davis bd808@wikimedia.org:
On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen gerard.meijssen@gmail.com wrote:
Hoi, I have been at Meta ... I do not see it, I do not understand it .. What should I do to enable this ? Thanks, GerardM
This thread is basically a discussion of a proposed MediaWiki feature. See https://phabricator.wikimedia.org/T30085 for additional context.
On 20 February 2015 at 18:53, Bryan Davis bd808@wikimedia.org wrote:
On Fri, Feb 20, 2015 at 9:52 AM, devunt devunt@gmail.com wrote:
We should consider some edge cases like:
- More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe account selector could be one of the answers.
- If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will takes _very_ long time as enough to cause gateway timeout. Which means nobody can log in to that account. -> To avoid timing attack completely, should mediawiki calculate hash of all users forty two times as same as above user?
Minimum viable product assumption:
Given that authentication is attempted with an (email, password) pair When more than one account matches email Then perform one data load and hash comparison to mitigate timing attacks and fail authentication attempt
A community education campaign could easily be launched to notify users that this invariant will hold for email based authentication and give instructions on how to change the email associated with an account. The target audience for email based authentication (newer users who think of email addresses as durable tokens of their identity) will not be likely to be effected or even aware of the multiple account disambiguation problem.
Bryan
Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
-- Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 02/20/2015 05:52 PM, devunt wrote:
We should consider some edge cases like:
- More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe account selector could be one of the answers.
Is there any indication how common that situation is? It would be possible to just say "sorry, login by e-mail is not possible for you; please login by username". But you also run into the question if FOO@gmail.com and foo@gmail.com are the same e-mail address or two different ones. If there is a verified account with FOO@GMAIL.COM, can that user login as foo@gmail.com?
On Feb 23, 2015 12:06 PM, "Lars Aronsson" lars@aronsson.se wrote:
It would be possible to just say "sorry, login by e-mail is not possible for you; please login by username".
No, that isn't possible. We can't reveal existence or non-existence of an account with an address. If there's more than one with a given address and we throw that error message then we've revealed something we can't.
Multiple accounts match response should be identical to wrong password response and identical to no such email/username response.
-Jeremy
On 20/02/15 00:58, phoebe ayers wrote:
Hi all,
I'm the one who started that bug-now-task a while back, and for context, it was based directly on user feedback. What MzM says above is right. I was working with a casual (but quite good) editor who said to me "well, I'd edit that Wikipedia page, but I don't edit very often and I can never remember what my login is, since my usual login was taken. But if I could enter my email address, it would be a lot easier and I'd be more likely to just do it."
It looks like it would be enough to provide a "send forgotten username to this email" feature. Which is bug 13015 [1], fixed in 2011 [2] and afaik never enabled.
As it provides a list of usernames, there's no issue with "too-many-usernames, which to use for login"?
1- https://phabricator.wikimedia.org/T15015 2- http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/CentralAuth/Centr...
As an aside, I wonder if login-by-email may lead to lower-quality usernames, which is an important part of your identity in the community.
On Sun, Feb 22, 2015 at 3:33 PM, Platonides platonides@gmail.com wrote:
On 20/02/15 00:58, phoebe ayers wrote:
Hi all,
I'm the one who started that bug-now-task a while back, and for context, it was based directly on user feedback. What MzM says above is right. I was working with a casual (but quite good) editor who said to me "well, I'd edit that Wikipedia page, but I don't edit very often and I can never remember what my login is, since my usual login was taken. But if I could enter my email address, it would be a lot easier and I'd be more likely to just do it."
It looks like it would be enough to provide a "send forgotten username to this email" feature. Which is bug 13015 [1], fixed in 2011 [2] and afaik never enabled.
As it provides a list of usernames, there's no issue with "too-many-usernames, which to use for login"?
Hmm. I just tried asking for a password reset with my email [on English Wikipedia] and what I got was a list of temporary passwords for all the accounts associated with that email (a bunch, in my case, since I registered variations on my full name). The email lists the username and the temp password for each account.
But yes, it's not clear that link can be used for retrieving login as well as password. Changing the text to 'Forgot your password or login?' could help. (Of course, checking your email and resetting the password is still an extra step for the infrequent editor).
-- phoebe
p.s. this is an old issue; that was still likely an unfixed bug when I first filed it!
wikitech-l@lists.wikimedia.org