On 7/6/05, Rowan Collins rowan.collins@gmail.com wrote:
Besides, if this was a banking site, I'd take these issues a bit more seriously; if someone just wants to impersonate or disadvantage you on Wikipedia, I'm sure they could find simpler ways anyway.
BookCrossing uses a similar mechanism, but it's the original password that gets sent out to the registered email address. Problems come when this email address is one no longer in use, and then we have to ask questions based on information stored on the profile that isn't publicly available.
I think the only serious attempt at abuse we had was a disgruntled ex-husband who wanted to delete his ex-wife's account. He didn't know her password, he wasn't on the email address, and when we asked him her birthday, he didn't know it!
It is good practice to change your password immediately after getting a password reminder. As noted above, it deletes your temp password and you can then choose one that you can either remember easily or scrawl on a post-it and throw away a week later.
And again, what precisely is at risk here? WP is a project where just about everything is revertable (and frequently is). If my on-line banking was compromised but I could easily reverse any transactions, I wouldn't be too concerned.
And after all, WP allows anyone to edit anything. We seem to deal with malicious users quite well, at least until such people reach senior positions in the WP heirarchy.
Probably the only real damage (apart from annoyance and confusion) that could be done by a compromised password is the alteration of private details, and I would hope that these could be restored reasonably easily when the real editor complains.