User: Password:
|
|
Subscribe / Log in / New account

Passwords

Passwords

Posted Apr 30, 2014 22:25 UTC (Wed) by dskoll (subscriber, #1630)
In reply to: A preview of HyperKitty's reimagined mailing list interface by mathstuf
Parent article: A preview of HyperKitty's reimagined mailing list interface

A mailing-list manager should not allow users to pick their own passwords. It should force them to use randomly-generated ones like TnPBxSnL8dQBcPzH or wNJNpnaUrswq4Zy8 and then write them down.

This pretty much eliminates passwords on the mailing-list site being used to exploit other sites and vice-versa.


(Log in to post comments)

Passwords

Posted Apr 30, 2014 22:47 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

I guess that works with mailing lists because the number of times I need to log in is usually 1 (to turn off delivery if I read the list via gmane/NNTP).

Or you just have "email me a login link" which times out in an hour or two and have no passwords whatsoever.

Passwords

Posted May 1, 2014 1:32 UTC (Thu) by zlynx (subscriber, #2285) [Link]

What it should really do is verify your identity by S/MIME or PGP signature.

Passwords

Posted May 1, 2014 5:18 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

Where is the trust root? I don't want to have to hook into the WoT as seen by joe-schmo.com just to edit mailing list preferences. I also don't think having a "HyperKitty approved" set of global trust root(s) is a good idea. Reminds me too much of the SSL trainwreck we already have on our hands.

Passwords

Posted May 1, 2014 20:35 UTC (Thu) by clint (subscriber, #7076) [Link]

You could have per-user sets of OpenPGP trust roots, monkeysphere-style.

Passwords

Posted May 1, 2014 21:24 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

Could you give more details? That sounds like giving the user the lock and key to something without knowing what "monkeysphere" is.

Passwords

Posted May 1, 2014 21:52 UTC (Thu) by clint (subscriber, #7076) [Link]

Let's say I have a shell account somewhere where I can run monkeysphere but there is no site-wide Monkeysphere policy or activity. Using whatever alternate methods I currently have to authenticate, I can log in and configure any set of OpenPGP keys to be trusted identity certifiers, and any set of OpenPGP userids to represent authorized users of my shell account.

You can implement the same concepts in anything that uses OpenPGP authentication, without using any Monkeysphere software: in effect, a per-user pair of (trusted keyring and a set of authorized user IDs). Everything is localized solely to you unless you choose it not to be.

Passwords

Posted May 2, 2014 11:24 UTC (Fri) by dskoll (subscriber, #1630) [Link]

That's over-engineering it. mathstuf's suggestion is probably fine: you just have "email me a login link" which times out in an hour or two and have no passwords whatsoever.

Passwords

Posted May 2, 2014 14:35 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Agreed. It's a mailing list and not a bank account. We don't need to go from "plaintext storage we email you every month" to "PGP-based web of trust" for it. Now, for the banks…


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds