Revision history for UserSettingsAndPasswords
Revision [22934]
Last edited on 2016-05-20 07:38:42 by NilsLindenberg [Replaces old-style internal links with new pipe-split links.]Additions:
Here I'll share my efforts to make user registration, login/logout and password-handling a little more user-friendly as well as more secure. And apart from making sure the associated forms are XHTML-compliant, I'm also making them accessible according to the [[http://w3.org/WAI | WAI]] guidelines.
Deletions:
Revision [18258]
Edited on 2008-01-28 00:10:48 by NilsLindenberg [Modified links pointing to docs server]No Differences
Additions:
CategoryUserContributions
Deletions:
Additions:
OK, Sam, you have a point about it being more use-friendly if a once-accepted password can remain the same. I could make it (WikiAdmin-)configurable; that way you could have a once-valid password remain valid (but still apply new rules when the user wants to change the password), and have that the default behavior; or the WikiAdmin could choose to enforce the new rules and have a prompt for a new password on login. How does that sound?
[One thing though: many people actually have no idea about password security or what __makes__ a password secure. I've overheard people telling each other how to choose this weird thing called a password .... not that they didn't care - they just had no idea! :) Then again, probably [[WikiUser]]s are a little wiser!]
[One thing though: many people actually have no idea about password security or what __makes__ a password secure. I've overheard people telling each other how to choose this weird thing called a password .... not that they didn't care - they just had no idea! :) Then again, probably [[WikiUser]]s are a little wiser!]
Additions:
''Thanks for your work on this JW :) Looking forward to seeing this "prompt" for a new password. Just my two cents here: from a user standpoint, it's easier to work with a single password for a single site. That is, this prompt seems excessive. If a user chooses a 2 letter password (when it was okay to do so), then she probably doesn't care about security. Whereas if it was to be secure, you'd choose something dramatic. Additionally, on a social side, it's cool to have a unique password. I have a 5 character password for one of my Hotmail accounts whereas you need 6 characters when signing for a new account. Cool!'' -- Sam
Additions:
==Strengthened password rules on existing site==
On an existing site where the password minimum length is increased the following situation can occur:
A user logs in with a valid (existing) password, but the rules have changed and it's now too short. The system should then enforce choosing a new password (of sufficient length).
I have this implemented now on my local machine. No single patch - part of my complete overhaul of the login/registration fucntionality. Will post completed code later...
On an existing site where the password minimum length is increased the following situation can occur:
A user logs in with a valid (existing) password, but the rules have changed and it's now too short. The system should then enforce choosing a new password (of sufficient length).
I have this implemented now on my local machine. No single patch - part of my complete overhaul of the login/registration fucntionality. Will post completed code later...
Additions:
-----
Deletions:
Additions:
====
CategoryDevelopment
CategoryDevelopment
Deletions:
Additions:
No, I don't think the concept of a Wiki is to make security irrelevant - just to make a community effort to maintain pages/information on the Web (or an intranet) easy. But many Wikis (including this one!) have been configured to require a user to have an account and be logged in to be able to edit any page.
The idea behind more secure passwords is not to make the **Wiki** more secure, but to make those **accounts** more secure - so someone else may not "take over" an account and then impersonate someone. And let's not forget that most Wikis also have a Wiki Master and one or more users with Admin rights - should anyone be able to easily take over those accounts? I think not (at that point security of user-supplied email addresses also becomes relevant).
Of course, if you think 2 characters is sufficient for __your__ Wiki, my patch (applied __once__) allows you to configure just that instead of replacing a constant in 10 locations or so (I didn't count). I just go in the other direction. ;-)
Upgrading is a good point though: I don't know how upgrading is implemented (yet) - I've only looked at a current installation and new setups so far. I'll look into that; I've only just started with Wikka... Thanks!
-- JavaWoman
The idea behind more secure passwords is not to make the **Wiki** more secure, but to make those **accounts** more secure - so someone else may not "take over" an account and then impersonate someone. And let's not forget that most Wikis also have a Wiki Master and one or more users with Admin rights - should anyone be able to easily take over those accounts? I think not (at that point security of user-supplied email addresses also becomes relevant).
Of course, if you think 2 characters is sufficient for __your__ Wiki, my patch (applied __once__) allows you to configure just that instead of replacing a constant in 10 locations or so (I didn't count). I just go in the other direction. ;-)
Upgrading is a good point though: I don't know how upgrading is implemented (yet) - I've only looked at a current installation and new setups so far. I'll look into that; I've only just started with Wikka... Thanks!
-- JavaWoman
Additions:
Now minimum password length is Admin-configurable and will be enforced in ""UserSettings"" for registration and login. (Make sure any existing passwords are of sufficient length first!) A good minimum is 8 characters but this patch maintains the current default of 5 in Wikka.
''Um, I'm not one to speak from experience, but isn't the whole concept of a wiki supposed to render security irrelevent? Additionally, the wiki format (instead of a forum), is that editing a page is for non-registered users should be as easy and quick as possible. If anything, the default should be lower than 5 (like 2 characters). I appreciate the ability to configure the min_length, but does this have any ramfications on **/setup** files? Like in the case of upgrading?'' -- Sam
====
''Um, I'm not one to speak from experience, but isn't the whole concept of a wiki supposed to render security irrelevent? Additionally, the wiki format (instead of a forum), is that editing a page is for non-registered users should be as easy and quick as possible. If anything, the default should be lower than 5 (like 2 characters). I appreciate the ability to configure the min_length, but does this have any ramfications on **/setup** files? Like in the case of upgrading?'' -- Sam
====
Deletions:
Additions:
Currently the system only enforces a minimum password length of 5 characters. That's generally not considered a very secure password, so my first action was to make this minimum length Admin-configurable.
