I understand the point you're making, but there is a problem that is difficult to circumvent here. First, we like to give people the ability to receive an email reminder when they forget their account password. Second, we like to let people update their info when they change email accounts.

How do we go about satisfying both criteria, while making it impossible, for someone who has gained unauthorized access to a PM account, to update the email address and password? We can strengthen password security by forcing password aging, trickier passwords, and other such strategies (each of which make the site more difficult to use, and introduce the potential for increased user error), but ultimately, if we want to let people update their own user info, I don't see how we could prevent anyone who gains access to the account from doing the same.

Hiding email info from a user won't prevent that user from updating his email address. And if he can update his email address, so can anyone else who knows his password.

Protect your passwords, and if you should happen to believe your account has been comprimised, pray to the gods that they might help you get it sorted out. At least we have some nice people here who may help out.

The proposal was to not allow you to change your e-mail address unless you can enter your old (current) e-mail correctly; making your e-mail address a bit like a second password.

A problem with this is that it needs to address the unlikely situation of someone not remembering what their old e-mail address was. Or, more likely, when someone enters their e-mail address incorrectly and doesn't notice and so can never change their e-mail address again.

This is the same reason why I haven't made it so you have to enter your old password in order to change your password.

Perhaps you should be required to enter at least two of your password, e-mail address, and "real name" in order to be able to change (or see) any of them?

And it'd be nice if we had a solution for the "I forgot my password and I no longer have that e-mail address" problem.

At least we no longer output the password in the HTML when you edit your home node.

- tye        

I would like to see an option for users to upload their public PGP/GPG key. It's the sort of situation that public key crypto was designed for - I can give every site my public key, and it can't be 'stolen'.

Fair enough that moves the problem from "I forgot my password" to "I lost my private key", but people tend to take more care of their private key.

(I'm sure you know this, I'm just going for a bit of an expository ramble here :)

e.g. I really wish I had of uploaded my public key to perlmonk.org since I've changed my password and forgot to note it down in my top secret "net passwords" file. Now I've gotta do exactly what the top poster said - convince jcwren that I'm not some yahoo trying to hijack an account.

And as for the forgetting the email address problem - it does happen. I've been on the web long enough that I have accounts on servers where the email address is now invalid due to me moving ISPs - perlmonks is one of those (I'd better go fix it now).

___________________
Jeremy
I didn't believe in evil until I dated it.

Whilst I love the Perl Monks as much as the next person, if my email account were compromised access to this site would be the least of my worries.

As it is the email address of monks is not visible to visitors to their home nodes, so I'm not sure I understand what would be gained from adding another test to the edit user page. Sure it raises the bar slightly, but not enough to make it possible to prove your identity.

After all if the email address 'foo@bar.com' corresponding to a Monk were compromised surely they would just enter 'foo@bar.com' into the field anyway? This would only gain a user security if they used one specific email address which was non-public for this site, and nothing else.

To explain a bit so you 'get' what she was referring to. Two problems present themselves with a public site such as PM. First, you have to login to the site from somewhere "out there." From a public PC or even your own, the password and/or cookie value might get 'sniffed' on the wire. Second, as Petruchio so visibly reminds, this is a public site and while clicking around your cookie value might get sniffed.

So it is not your email account that is worried about in DigitalKittys question. It is your PM identity, which could be cracked, co-opted, the email address changed and then how do you get it back to being accessible only by you? So, back to the original question...

Which "old" address? The original one (which might be invalid now) or simply the previous one? If you go for the last option: what stops an intruder from changing your e-mail address twice, so he still gets the confirmation mail and he can prove he is the "real" you?

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

what stops an intruder from changing your e-mail address twice (...)

Nothing, but you would still receive the notification for the first change. If the old (previous or original) address is invalid, the mail gets bounced - bad luck (or doesn't matter in the more likely case you wanted to change the address because of that).

I know it's a weak proof, thats why I put it in quotes, but I think the notification might be a good feature.

This sounds like a good idea at first, but it turns out that it is equivalent to simply having another login. To use this system right now:

*Create yourself a second login.

*On your DigitalKitty page, add the sentence "DigitalKitty also logs on as <OtherAccountName>".

Voila! Instant keyword/phrase implementation of your idea, without someone having to code it up. If you forget your DigitalKitty login, just login under your second account and ask someone to change the DigitalKitty password. When they challenge you, point them to your homenode.

Backup passwords/accounts tend to be worse than useless, because if you're going to forget your primary password, you'll forget your backup as well because it is used even less.

davido's suggestion adds a layer of complexity while still being vulnerable to the original problem. And if your solution to the forgetting problem is to make the keyword your mother's name, or your favourite band, you might as well just use that as your password.

___________________
Jeremy
I didn't believe in evil until I dated it.

That is a nice idea!

Although someone will manage to crash his harddisk, forgot to make a backup or generally has his "registration email" misfiled or by switching to another mail reader cannot access it anymore and he will still have to petition the gods to get his account back.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

However, no system which relies on a password scheme to limit entry is safe once the password is compromised. Once you have passed all password-controls, you are essentially free to do as you please (or the system allows you to do within the privileges granted to you by your current access-level). Simply (or naively) adding additional passwords (or public keys, ...) only transfers the problem one level further: What happens if this password, ... also gets compromised, lost, forgotten, invalidated, ...?

Your posting however begs another question: have any PM-accounts been compromised or stolen from their rightful owners?