On Thu, Feb 19, 2015 at 6:44 AM, Marc A. Pelletier <marc(a)uberbox.org> wrote:
That would be a catastrophe, from a privacy
standpoint; even if we restrict
this to verified email addresses, there is no possible guarantee that the
person who controled email address x@y in the past is the person who
controls it today.
Not that precedent makes it right, but this is possible already with
password reset. We assume that if you control x@y, you are entitled to
control any accounts with a confirmed email of x@y.
It would also have horrid security implication if you
allow further creation
of accounts sharing an email (which would be necessary to make that feature
useful): create an account with the email of someone you want to find the
Wikimedia account of, log in, be presented with the accounts.
If it's limited to accounts with a confirmed email, and the passwords
all match, then this isn't an issue (unless I'm misunderstanding your
concern). As an attacker, I can't confirm the email of my victim for
my account, and it's unlikely that I can set the same password
(otherwise I'd just login as them).
But those requirements do require hashing the password per user, which
does leak timing information when we run this in php with our current
password system-- maybe we can find a service to do all the hashing in
parallel. But to start, just not allowing that case would cover the
90% (99.9% probably) use case.