rename -> *.git

[irc.git] / software / RELEASES / ircservices / achurch.org / services / lists / ircservices / 2001 / 001656.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [IRCServices] Suggestion
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20Suggestion&In-Reply-To=3ab53607.41755%40prima-lan.net">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="001634.html">
   <LINK REL="Next"  HREF="001659.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[IRCServices] Suggestion</H1>
    <B>Mark Hetherington</B> 
    <A HREF="mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20Suggestion&In-Reply-To=3ab53607.41755%40prima-lan.net"
       TITLE="[IRCServices] Suggestion">markh at eurodltd.co.uk
       </A><BR>
    <I>Tue Mar 20 19:14:04 PST 2001</I>
    <P><UL>
        <LI>Previous message: <A HREF="001634.html">[IRCServices] Suggestion
</A></li>
        <LI>Next message: <A HREF="001659.html">[IRCServices] Suggestion
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#1656">[ date ]</a>
              <a href="thread.html#1656">[ thread ]</a>
              <a href="subject.html#1656">[ subject ]</a>
              <a href="author.html#1656">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>&gt;<i> &gt;&gt;      Since users having their passwords taken almost
</I>&gt;<i> certainly means they
</I>&gt;<i> &gt;&gt; chose an easy-to-guess password, the right solution is to
</I>&gt;<i> educate the
</I>&gt;<i> &gt;&gt; users.  I don't see why Services should have to run
</I>&gt;<i> through hoops to try
</I>&gt;<i> &gt;&gt; and solve this problem.  (Of course, if your server is being
</I>&gt;<i> &gt;&gt; packet-sniffed, then you have other problems altogether.)
</I>&gt;<i> &gt;
</I>&gt;<i> &gt;This is correct, but you also have to see, that passwords
</I>&gt;<i> are &quot;guessed&quot;
</I>&gt;<i> &gt;via scripts, which use sockets (mirc has socket events e.g.)
</I>&gt;<i> And start a
</I>&gt;<i> &gt;good amount of connects, each with 3 nick password guesses,
</I>&gt;<i> sure it takes
</I>&gt;<i> &gt;time on good passwords, but sometimes users simply cannot
</I>&gt;<i> stop themselves
</I>&gt;<i> &gt;from setting the cellular phone number as their password, su
</I>&gt;<i> suddenly it
</I>&gt;<i> &gt;gets limited to numbers only etc, etc.
</I>&gt;<i>
</I>&gt;<i>      Hm, that's a good point.  Looks like I need a better way
</I>&gt;<i> to detect
</I>&gt;<i> password guessers.
</I>
Maybe emulate the system used for Car radios etc. After the first failure of
3 &quot;suspend&quot; the nickname for 1 hour, then 2 hours then 4 hours etc until it
is ultimately locked out entirely and an admin has to take steps to restore
the nickname to the user after sufficient authentication.

&gt;<i>
</I>&gt;<i> &gt;Each time a nickname is registered, a nick gets an
</I>&gt;<i> authentication code, a
</I>&gt;<i> &gt;la dalnet, which cannot be changed, and which is not shown.
</I>&gt;<i> Thi code is
</I>&gt;<i> &gt;emailed to the address given with the register command.
</I>&gt;<i> After that, the
</I>&gt;<i> &gt;person has to issue /nickserv AUTH &lt;code&gt; within some
</I>&gt;<i> services.conf days,
</I>&gt;<i> &gt;or the registration will expire. If people claim to have lost their
</I>&gt;<i> &gt;passwords, but can prove that they have the authentication
</I>&gt;<i> code, because
</I>&gt;<i> &gt;it was emailed to them, a services oper can issue /nickserv
</I>&gt;<i> GETAUTH nick,
</I>&gt;<i> &gt;and check the real authentication code against the given, if
</I>&gt;<i> they match,
</I>&gt;<i> &gt;it is highly possible that the person is the real owner, so
</I>&gt;<i> &gt;sendpass/getpass can be issued.
</I>&gt;<i>
</I>&gt;<i>      While this is a good idea if you want to ensure
</I>&gt;<i> accountability of your
</I>&gt;<i> users, I don't see how it solves the problem of E-mail addresses being
</I>&gt;<i> changed after registration.  On the other hand, if this is
</I>&gt;<i> applied to SET
</I>&gt;<i> EMAIL as well, you can avoid that problem; but then you have
</I>&gt;<i> to deal with
</I>&gt;<i> people who can't use their old address and distinguishing them from
</I>&gt;<i> crackers who guessed the password and want to steal the nick.
</I>
Is this or a similar authentication system likely to be in a future version
of services? It is a system I would like to see since if nothing else it
reduces the registrations &quot;made on a whim&quot; when the process is more work
than /ns register pass.

If not, would Yusuf care to share his &quot;patch&quot; with others?

Mark Hetherington.
CTCP Networks.



</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
        <LI>Previous message: <A HREF="001634.html">[IRCServices] Suggestion
</A></li>
        <LI>Next message: <A HREF="001659.html">[IRCServices] Suggestion
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#1656">[ date ]</a>
              <a href="thread.html#1656">[ thread ]</a>
              <a href="subject.html#1656">[ subject ]</a>
              <a href="author.html#1656">[ author ]</a>
         </LI>
       </UL>

</body></html>