[jitsi-users] [jit.si] still does not have proper password recovery.


#1

I'm interested in recovering a password for a old account that I didn't
have written down.

So I went to the jitsi.org website page for jit.si to recover my password,
only to find out that the service only has a change password wizard and not
a password recovery form.

Any chance on fleshing the service out to have all features that are
standard with any account based service?


#2

I know of no [reputable] site that keeps passwords. It's a security
nightmare. What if the database gets hacked?
Better to save a hash that makes it computationally unfeasible to crack
passwords, and have a password-reset function to store the hash of the new
password.
A history of hashes can be kept to guard against re-use of a password.

···

On Sat, Dec 6, 2014 at 5:14 PM, Dreyeth <drdreyeth@gmail.com> wrote:

I'm interested in recovering a password for a old account that I didn't
have written down.

So I went to the jitsi.org website page for jit.si to recover my
password, only to find out that the service only has a change password
wizard and not a password recovery form.

Any chance on fleshing the service out to have all features that are
standard with any account based service?

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Any chance on fleshing the service out to have all features that are
standard with any account based service?

This isn't quite actually a standard feature, especially with XMPP
services: CCC doesn't allow to retrieve passwords either. And it makes
quite sense, since the logs of your conversations aren't on the server:
no need to manage the fake password resets (Matt Honan anyone?); no need
to ask you retrieval informations. The only thing you might to retrieve
is your contacts list (but if you added, one can suppose you know them
and are able to add them once again), otherwise you can treat your XMPP
account as a disposable address.

Just to say: not having a recovery procedure makes quite sense.

Daniele


#4

Hi,

···

On 6 December 2014 at 17:14, Theodore M Rolle, Jr. <stercor@gmail.com> wrote:

I know of no [reputable] site that keeps passwords. It's a security
nightmare. What if the database gets hacked?
Better to save a hash that makes it computationally unfeasible to crack
passwords, and have a password-reset function to store the hash of the new
password.
A history of hashes can be kept to guard against re-use of a password.

Unfortunately, many companies store passwords either encrypted or even
likely in plain text.

http://www.reddit.com/r/techsnap/comments/16yg0d/hall_of_shame_matchcom/
http://www.reddit.com/r/techsnap/comments/116tua/hall_of_shame_spanish_mobile_company_masmovil/

It's a terrible practice that will hopefully die soon. But then you
have to wonder what they hash with and hopefully it's not md5crypt.

-------
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si