Re^2: Ideas for "fixing" PerlMonks 1.0

Less, let's say, humorously: I note the recent attempt by Bod to discuss the elephant in the room (the password problem), at Priorities perhaps?.

Having just re-read it, I see what I believe is a way to cut the Gordian knot. It could feel like a large, atomic change is needed to both encrypt the passwords, and put in place the workflow needed to do password resets that would be needed because the plaintext isn't available anymore.

But what about making a workflow for password resets now, even though the passwords are still plaintext in the database? It would both set the conditions for then encrypting the passwords as a second, independent step, and already increase security a bit by not having plaintext passwords be emailed around, and sit in people's mailboxes for ze baddies to snarf up.

Comment on Re^2: Ideas for "fixing" PerlMonks 1.0

Replies are listed 'Best First'.
Re^3: Ideas for "fixing" PerlMonks 1.0 by Arunbear (Prior) on Dec 17, 2024 at 11:32 UTC
There was some discussion of this idea two months ago: Re^5: login with google account	[reply]
Re^4: Ideas for "fixing" PerlMonks 1.0 by etj (Priest) on Dec 18, 2024 at 08:59 UTC
I see it got successfully bikeshedded into the ditch. Services that offer single-sign-on (SSO) options usually also offer a username/password option, so SSO is not a solution to this problem. You'd still need a password-reset capability. jdporter - what would it take to make password resets change from the current (email out the plaintext password) to sending out a password-reset link, in the PerlMonks codebase? Is it as simple as an additional SQL table "password_reset" with columns UID, one_time_key, time_requested, and a page that takes the first two as CGI params, asks for a new password, submitting to a second page that takes those 3 values and updates the database by updating the password and deleting the password_reset row? (The time_requested is so it can be cleaned up periodically) cavac - how does PageCamel do this?	[reply]
Re^5: Ideas for "fixing" PerlMonks 1.0 by jdporter (Paladin) on Dec 18, 2024 at 14:21 UTC
... Is it as simple as [a bunch of really complicated sounding stuff] ... Yes? :-D If you can write the code, I'm willing to create the db table(s) you'll need. (And I can help you write the code, wrt interfacing with the framework.)	[reply]
Re^6: Ideas for "fixing" PerlMonks 1.0 by LanX (Saint) on Dec 18, 2024 at 14:35 UTC
Re^7: Ideas for "fixing" PerlMonks 1.0 by jdporter (Paladin) on Dec 18, 2024 at 17:17 UTC
Some notes below your chosen depth have not been shown here
Re^5: Ideas for "fixing" PerlMonks 1.0 by LanX (Saint) on Dec 18, 2024 at 09:52 UTC
Short version As pmdev you have access to code search and all documentations and wikis. š You can also install an old everything and play around. Long version I've provided you with many links yet to inform yourself and help developing. While you haven't provided a single patch yet, you are very vocal in criticizing and demanding change here. I somehow doubt you'll ever "take the bait" and start with (non-vocal) contributions. Cheers Rolf _{(addicted to the Perl Programming Language :) see Wikisyntax for the Monastery} š) PmDev Nodelet	[reply]
Re^6: Ideas for "fixing" PerlMonks 1.0 by erzuuli (Cannon) on Dec 18, 2024 at 14:18 UTC
Re^7: Ideas for "fixing" PerlMonks 1.0 by LanX (Saint) on Dec 18, 2024 at 14:37 UTC

Short version

Long version