That's why I surf PerlMonks via hostnames of my own design. Only me, my hosts file, and the web-server logs know for sure.
Yes, it would be good to make quite a few improvements to PM security. And I think that I approve of your suggested change.
I think an even better change would be to send an e-mail to the old address when a new address is set. The e-mail could even include a "recover my stolen account" link that would allow you to get back your account if the e-mail change wasn't done (intentionally) by you and had been used to get access to your account and to change your password. The e-mail would tell you what changed and encourage you to change it back and change your password (and maybe report the incident) if you didn't intend the change. Then the "recover my account" link would expire after a month, say.
One complication to consider with your suggested proposal is that we only have two security items (password and e-mail) and it is easy to set a cookie and then to use your PerlMonks account for months/years without ever entering your password again. So one might suddenly realize that they lost their job and don't have access to their configured PerlMonks e-mail address and they also don't know their password, but they do still have a valid cookie on their home browser. With your change, they couldn't just change their e-mail. If changing one's password also requires one to enter the old password (not just have a valid cookie -- something that would make sense but that I'm not sure PerlMonks currently does but something that it certainly might do soon), then such a monk would be left with no way to recover their password nor update their e-mail address so they'd be left in a sort of limbo, praying that their one good cookie doesn't get lost somehow.
It might be better to have four security items at PerlMonks: your password, your e-mail address, your secret token, and the answer to your "security question". Then you'd need to re-enter your password in order to be shown any of the other items or to make updates to any of them (including changing your password). You could have your password e-mailed to you with no extra hoops, like now. But you could also "recover your account" (by changing the e-mail address, which would send a notice to the old address) if you knew at least two of the other security items (or maybe knew one of them and had a valid cookie).
Actually, I had plans for more general changes to prevent spoofed POST problems, which is where the "secret token" item came into my mind.
And I think an equally simple and less problematic fix (compared to your proposal) would be to include a cryptographic hash of username plus IP address plus secret seed (know only to the gods) on the user edit page and require it for any changes on that page.
So I'd prioritize the changes as follows:
- tye
In reply to Re^3: Password required for email change (security)
by tye
in thread Password required for email change
by tinita
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |