On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen <gerard.meijs...@gmail.com> wrote: > Hoi, > I have been at Meta ... I do not see it, I do not understand it .. What > should I do to enable this ? > Thanks, > GerardM
This thread is basically a discussion of a proposed MediaWiki feature. See <https://phabricator.wikimedia.org/T30085> for additional context. > On 20 February 2015 at 18:53, Bryan Davis <bd...@wikimedia.org> wrote: > >> On Fri, Feb 20, 2015 at 9:52 AM, devunt <dev...@gmail.com> wrote: >> > We should consider some edge cases like: >> > >> > * More than two accounts with exactly same email and password. >> > -> In this case, which account should be chosen for logged-in? Maybe >> > account selector could be one of the answers. >> > >> > * If there's a 42 accounts with same email. >> > -> Should mediawiki try to check password forty two times? It will >> > takes _very_ long time as enough to cause gateway timeout. Which means >> > nobody can log in to that account. >> > -> To avoid timing attack completely, should mediawiki calculate hash >> > of all users forty two times as same as above user? >> >> Minimum viable product assumption: >> >> Given that authentication is attempted with an (email, password) pair >> When more than one account matches email >> Then perform one data load and hash comparison to mitigate timing attacks >> and fail authentication attempt >> >> A community education campaign could easily be launched to notify >> users that this invariant will hold for email based authentication and >> give instructions on how to change the email associated with an >> account. The target audience for email based authentication (newer >> users who think of email addresses as durable tokens of their >> identity) will not be likely to be effected or even aware of the >> multiple account disambiguation problem. >> >> Bryan >> -- >> Bryan Davis Wikimedia Foundation <bd...@wikimedia.org> >> [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA >> irc: bd808 v:415.839.6885 x6855 >> >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- Bryan Davis Wikimedia Foundation <bd...@wikimedia.org> [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855 _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
