Hoi,
I have been at Meta ... I do not see it, I do not understand it .. What
should I do to enable this ?
Thanks,
GerardM
On 20 February 2015 at 18:53, Bryan Davis <[email protected]> wrote:
> On Fri, Feb 20, 2015 at 9:52 AM, devunt <[email protected]> wrote:
> > We should consider some edge cases like:
> >
> > * More than two accounts with exactly same email and password.
> > -> In this case, which account should be chosen for logged-in? Maybe
> > account selector could be one of the answers.
> >
> > * If there's a 42 accounts with same email.
> > -> Should mediawiki try to check password forty two times? It will
> > takes _very_ long time as enough to cause gateway timeout. Which means
> > nobody can log in to that account.
> > -> To avoid timing attack completely, should mediawiki calculate hash
> > of all users forty two times as same as above user?
>
> Minimum viable product assumption:
>
> Given that authentication is attempted with an (email, password) pair
> When more than one account matches email
> Then perform one data load and hash comparison to mitigate timing attacks
> and fail authentication attempt
>
> A community education campaign could easily be launched to notify
> users that this invariant will hold for email based authentication and
> give instructions on how to change the email associated with an
> account. The target audience for email based authentication (newer
> users who think of email addresses as durable tokens of their
> identity) will not be likely to be effected or even aware of the
> multiple account disambiguation problem.
>
> Bryan
> --
> Bryan Davis Wikimedia Foundation <[email protected]>
> [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
> irc: bd808 v:415.839.6885 x6855
>
> _______________________________________________
> Wikitech-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
