[OpenStreetMap] #5130: Reset password facility leaks email addresses
OpenStreetMap
trac at noreply.openstreetmap.org
Tue Feb 25 15:01:07 UTC 2014
#5130: Reset password facility leaks email addresses
-----------------------+-------------------------
Reporter: oxplot | Owner: rails-dev@…
Type: defect | Status: closed
Priority: critical | Milestone:
Component: website | Version:
Resolution: wontfix | Keywords:
-----------------------+-------------------------
Comment (by oxplot):
Replying to [comment:3 TomH]:
> Those companies also have hundreds or thousands of paid support staff to
deal with users who can't manage to reset their passwords. We have me.
And you love your users more than the crowd. Those big companies (e.g.
Google) don't actually provide any support for lost accounts. It's just
not feasible when you have millions of users (unless they are a paid
customer). Heck, they even close people's accounts on suspicion that
they're compromised and that's fine.
> I have no problem changing the current system if somebody can provide
suggestions for a replacement which will not lead to a major loss of
usability
Like I mentioned before, implement a rate limiter, like reCAPTCHA but only
show it when traffic from an IP goes over a certain threshold. This way,
majority of users won't see it (no loss of usability) but if anyone tries
to brute force your DB, it gets hard fast. True that reCAPTCHA can be
defeated (e.g. human bots), but it's much more difficult and expensive to
do compared to a 10 line bash script that I wrote in under a minute.
Now, reading your comments, I just realized that this needs to be done on
the sign-up page as well (if not already).
--
Ticket URL: <https://trac.openstreetmap.org/ticket/5130#comment:6>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list