[bbDev] Passwords

fel64 at loinhead.net fel64 at loinhead.net
Fri Dec 7 09:36:59 GMT 2007 

> On 07/12/2007, at 8:49 AM, fel64 at loinhead.net wrote:
>
>> Sam's phpass change reminded me of this: it seems bizarre to me that
>> bb
>> gives new users a random 6-digit password. That's really very
>> insecure. If
>> it's expected that users change their password anyway, then why not go
>> whole hog and give them a securer 10-character letter-digit-symbol
>> monstrosity?
>
> I think that's overkill. 6 digits provides over 2 billion combinations
> which should be enough for a temporary password.
>

If it's intentionally temporary, then you may as well make it secure - a
little something gained, nothing lost? But in any case, that's a makeshift
improvement rather than an actually better process.

>> Moving slightly to the user interface rather than a technical
>> detail, even
>> better in my opinion would be to make users activate their account by
>> setting their password when they get a link in the mail. I suspect
>> that a
>> large proportion of people who register just copy and paste their
>> pregenerated digits to login the first time, then forget about it
>> all and
>> have problems logging in next time. Additionally, account activation
>> would
>> be nice to have; accounts that haven't been activated in a week, say,
>> could be deleted.
>
> I'd like to see some improvements to the sign-up process as well.
> Perhaps not specifically this, but something similar. I think it would
> be nice if the user only had to deal with one form on signup that
> asked for username, password and email. Then the email had a simple
> activation link which just logged them in. I'll take a look at what
> WordPress does as a starting point and we can evolve from there.
>
> Sam
>
> ---------------------
> Sam Bauers
> Automattic, Inc.
>
> sam at automattic.com
> http://automattic.com
> http://wordpress.com
> http://wordpress.org
> http://bbpress.org
> http://unlettered.org
> ---------------------
>
> _______________________________________________
> bbDev mailing list
> bbDev at lists.bbpress.org
> http://lists.bbpress.org/mailman/listinfo/bbdev
>

Sounds good.

More information about the bbDev mailing list