Passwords and authentication


(Caue Rego) #1

I just signed up for a profile in the BurningMan and they did one thing I really enjoyed. Sent a secure password over email, and didn’t ask me to change it.

Now, I’m also here for at least 3 other reasons, all related to what I think about passwords and authentication, but rather share them elsewhere (as it’s also a lot of ideas I need to organize).

Back to focus: how about implementing that in here?

If people don’t want to use any open auth, send in an email with a random generated secure password over email. And don’t ask to change later, but offer a button on the side which can’t be missed.

I realize how “insecure” that may look like, sending in passwords through email and storing them there, then not asking to change… But think about it.

Whoever chooses to have a password instead of oAuth isn’t so worried about security in the first place. They will probably note it down somewhere. If it’s this convenient, maybe at least they’ll keep a more secure pass for every other technical aspect of it. And for everyone else who wants to keep it secure, just change it.

After thinking so much about authentication, I think this is quite a good idea! Of course, although clearly not mine, I’m still biased. :slight_smile:


(cpradio) #2

Wait … what!!! That is an oxymoron. If they sent it over email, chances are, it is no longer secure.

Plus how does this differentiate from the user just choosing a password when they sign up (assuming you have local logins enabled)? They could just write down their password when they signup…

Someone call Troy Hunt, he has another good example of bad security. :laughing: (fyi, you may want to read some of his articles to understand why Discourse would never implement this)


(Stefano Costa) #3

Completely agree, of course: a password sent by e-mail is insecure by definition.

See Plain Text Offenders for a long list of websites that will happily send your password in cleartext. I wouldn’t want to see Discourse listed there.


(Rafael dos Santos Silva) #4

Also if your e-mail is sent without SSL you got also another huge problem.

https://www.google.com/transparencyreport/saferemail/?hl=en

40% of e-mails that come into Gmail are sent without encryption!


(Caue Rego) #5

I feel like nobody read the whole topic… Which means I’ve failed once again in explaining myself. :frowning:

But, since it is a bit big and clearly confusing, let me try to quote the relevant part to all the questions.

The difference from this and user choosing a password is most users won’t choose a secure password. The ones who need security are per definition the ones who won’t do it properly in the first place. The unaware users. Where are the main security breaches to begin with? I don’t know, but I guess leaking databases happens way more than intercepting registration emails (very different from “forgot password” sending in emails).


(cpradio) #6

No, I read it, I simply can’t fathom that as a solution versus having a “pick a password for me” in the signup process that may display on the screen. Shipping it by email is crazy.


(Caue Rego) #7

Well, if nobody else can agree, I’ll do my research to confirm my suspicion and come back with results. I’ve done it before (look at all the meta data around), just hope I got the time to do it now again.


(Felix Freiberger) #8

I don’t really get why. If I can intercept passwords sent via mail, I can also intercept password reset requests sent via mail, and reset any secure password to one of my choosing.


(Robin Ward) #9

Those emails are timed and one use only. A password might not be changed and lasts a lot longer.


(Felix Freiberger) #10

Good point. On the other hand, an attacker can request a password reset mail whenever he wants; if he missed the password mail, it’s too late.


An alternative might be a password-less login leveraging mail: Whenever the user wants to log in, he is sent a mail with a one-time login link – just as the /users/admin-login page works for admins.


(Jeff Wong) #11

That’s what the minimum password requirements are for. To stop the user from choosing a password under a certain length, or from choosing the most common passwords.


(Caue Rego) #12

Love how @fefrei got my point! :slight_smile:

Except…

That alternative is just a gimmick, and add much more points of failure than a 1 time password sent at registration. That is a very important aspect on why this is much better than having a “forgot password” - which is far from the topic here.

Do let people take notes, by all means. Who here doesn’t use a password manager?! Secure your notepad of passwords the way you prefer, but realize we all need it.

But since we keep getting back at the forgetting password issue… Suppose people still lose it anyway. And they/we surely will, at some point. What then? There is still no good answer, imho.

The only secure way to go about it without moderation is creating a new account. There could also be a way for guest posting moderation support requests to intervene. (That is, until we’ve got an Ai smart enough to uniquely identify people through their usage patterns and filter out even further how many people would still need a moderator).

Keep in mind there should be much less people “forgetting” their password with the op suggested measure, anyway.


(Jeff Wong) #13

Aside from the live email account itself being compromised, there is another attack that you aren’t taking into account. What happens if the email storage end is swiped?

In your solution – You have plaintex password within emails. You’re compromised.

In a password reset link situation, you have old one-use links that are more than likely invalid by the time the attacker sifts through them.

I agree that live MITM attacks are problematic, but there is a fair bit of protection offered for time sensitive tokens.


(Caue Rego) #14

I just, conveniently, didn’t want to go there. :smiley:

Yes, that is the biggest failure in this idea indeed. But, in practice, how much of a risk this really is? That’s the kind of data I still want to research about (once I can set my mind to it, and out of distractive themes, such as general relativity)! :wink: