[Moin-user] E-mailing passwords is broken
Malte Helmert
helmert at informatik.uni-freiburg.de
Thu Feb 10 05:28:51 EST 2005
Dear group,
as far as I can tell, the "e-mail passwords" functionality in MoinMoin
is broken. Since the password is not stored as plaintext anywhere (a
good thing), the user can only get at the SHA1 digest of his password,
which doesn't help at all. Maybe it should be replaced with a "Reset
password" option that assigns the user a new random password which they
can then subsequently change?
Authentication could work as follows:
1. User clicks "Reset password".
2. MoinMoin generates a random authentication string FOO and stores it
away somewhere.
3. MoinMoin sends an e-mail to the user asking him to go to
http://www.the-wiki-address/moin.cgi?action=reset_password?auth=FOO
to confirm that they want to reset the password.
4. User receives mail and visits the address.
5. When the address is visited, MoinMoin generates a new password and
e-mails it to the user.
The process could be streamlined somewhat by e-mailing the password to
the user already in step 3. Visiting the generated address would then
only be necessary for confirming the password.
Alternatively, the page shown under 5. could contain an "enter your new
password" prompt, so that no random passwords are generated at all, only
the random authentication string FOO.
While I am talking about logging into MoinMoin wikis, two minor nits.
I think that the presence of a "Login" link instead of "UserPreferences"
in the new versions is a usability improvement. However, I think that a
"Logout" link would be good as well. Looking for "Logout" under
"UserPreferences" is not intuitive, since logging out is not really a
preference.
Second, I think it should be allowable that several users have the same
e-mail address. I often want to have several accounts in Wikis I
administrate, e.g. a regular account "MalteHelmert" and some "TestUser"
account. Other people might want to have a special "WikiAdmin" account
or some such. Right now, this requires specifying different e-mail
addresses for each user. (At least that's what I recall.)
Malte
More information about the Moin-user
mailing list