[bbDev] Passwords

[Sam Bauers]

On 07/12/2007, at 8:49 AM, fel64 at loinhead.net wrote:

> Sam's phpass change reminded me of this: it seems bizarre to me that  
> bb
> gives new users a random 6-digit password. That's really very  
> insecure. If
> it's expected that users change their password anyway, then why not go
> whole hog and give them a securer 10-character letter-digit-symbol
> monstrosity?

I think that's overkill. 6 digits provides over 2 billion combinations  
which should be enough for a temporary password.

> Moving slightly to the user interface rather than a technical  
> detail, even
> better in my opinion would be to make users activate their account by
> setting their password when they get a link in the mail. I suspect  
> that a
> large proportion of people who register just copy and paste their
> pregenerated digits to login the first time, then forget about it  
> all and
> have problems logging in next time. Additionally, account activation  
> would
> be nice to have; accounts that haven't been activated in a week, say,
> could be deleted.

I'd like to see some improvements to the sign-up process as well.  
Perhaps not specifically this, but something similar. I think it would  
be nice if the user only had to deal with one form on signup that  
asked for username, password and email. Then the email had a simple  
activation link which just logged them in. I'll take a look at what  
WordPress does as a starting point and we can evolve from there.

Sam

---------------------
Sam Bauers
Automattic, Inc.

sam at automattic.com
http://automattic.com
http://wordpress.com
http://wordpress.org
http://bbpress.org
http://unlettered.org
---------------------