I described an alternate idea on how to avoid timing attacks without limiting it to one account per address. https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-mail_address/Timing_attacks_on_emails_with_multiple_accounts
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] On 2015-02-19 5:27 AM, Tyler Romeo wrote: > I've said this previously, but I believe the only controversial part of > this change is ensuring the security and privacy of email addresses. > > All this involves is constructing a process where every login, > regardless of the identifier and regardless of the database state, > always performs one and exactly one database query and one and exactly > one password hashing. > > On 2/19/15 07:54, Tony Thomas wrote: >> Hello, >> >> Before someone starts with a proposal for the proposed-tech-project 'Allow >> user login with e-mail address'[1], is there still community consensus for >> the same ? I personally think its a must-have for MediaWiki, as e-mail >> address is easy to remember than a complex username. Currently multiple >> users can sign-up with the same e-mail id - which would possibly be a >> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on >> the same. >> >> [1] https://phabricator.wikimedia.org/T30085 >> [2] >> https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address >> >> Thanks, >> Tony Thomas <http://tttwrites.wordpress.com/> >> FOSS@Amrita <http://foss.amrita.ac.in> >> >> *"where there is a wifi, there is a way"* >> _______________________________________________ >> Wikitech-l mailing list >> [email protected] >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
