[aur-general] Registering, misspelling email, losing account
Hello, everyone! So today I decided to contribute to AUR and register an account. I was pretty surprised by the fact that registration form asked me about SSH and PGP key information, but never asked me about password. At the moment, I was impressed. Not for long, though. I was pretty confused by the fact that I will receive a "reset password" email. Soon after that, I realized that it might be some kind of "account confirmation". The common way of confirming emails is using some "confirmation link". Keeping it simple, AUR got rid of such an ugly feature and basically confirms that email is correct by letting the email owner set the password. Great idea, right? Wrong. I would love to call it a great idea. It really follows "keep it simple" principle. Instead of implementing email confirmation, AUR seems to use the simple principle: "If you can set the password, you're definitely the legitimate owner". I would have supported this concept if it wasn't for one thing: I can't access my own account. That's right, I messed up. Instead of typing fastmail.com, I typed fastmai.com. And now there is no way I can access my account. The only option is to send an email to this mailing list describing my problem and hope that somebody will help me out. Basically, that's what I'm doing right now. People tend to make mistakes. I'm not the only one who messed up during registration. And there is no easy way to get our account back. Mailing list is not the best option for account recovery. What if the misspelled email exists and the owner decides to proceed and register? What if the owner decides to do nasty things using my username, full name and email that looks alike? That would affect my reputation in the community since it's difficult to prove that I was not the bad guy. The usual "account activation" prevents this stuff. A lot of web sites do not automatically log user in after account confirmation, so it kind of prevents malicious activity (the bad guy doesn't know the password, you see). I would love to see the community grow as much as I would love to get my account back, so I wrote this message in a way that might start a discussion. I might be wrong about "bad design", though. So I welcome replies that explain why this design is better than others. And by the way, the fact that you can use an unused (not registered) email in account recovery and not get any errors is frustrating. Took me 8 hours to realize that it says "okay", even though the email is not in use. Please, do something about it! -- Best regards, Igor Morozov moroz@fastmail.com
On 26/07/15 04:01 PM, Igor Morozov wrote:
That's right, I messed up. Instead of typing fastmail.com, I typed fastmai.com. And now there is no way I can access my account. The only option is to send an email to this mailing list describing my problem and hope that somebody will help me out. Basically, that's what I'm doing right now.
Okay, so it can ask the user to provide the same email in two fields. It could treat an unconfirmed account as a temporary placeholder and replace it if registration is done again for the same username. It shouldn't be possible to log in without confirming the email unless all of the actions (voting, submitting packages, commenting, etc.) beyond editing account information are gated on whether the account is registered.
People tend to make mistakes. I'm not the only one who messed up during registration. And there is no easy way to get our account back. Mailing list is not the best option for account recovery. What if the misspelled email exists and the owner decides to proceed and register? What if the owner decides to do nasty things using my username, full name and email that looks alike? That would affect my reputation in the community since it's difficult to prove that I was not the bad guy. The usual "account activation" prevents this stuff. A lot of web sites do not automatically log user in after account confirmation, so it kind of prevents malicious activity (the bad guy doesn't know the password, you see).
Someone could have just created a fake account before you did, so it's really not an issue related to the confirmation design.
And by the way, the fact that you can use an unused (not registered) email in account recovery and not get any errors is frustrating. Took me 8 hours to realize that it says "okay", even though the email is not in use. Please, do something about it!
Emails aren't received instantly, so there's no error to report during registration.
Wow, with a name ending in Morozov, you sure doth protest to much. On Sun, Jul 26, 2015 at 4:29 PM, Daniel Micay <danielmicay@gmail.com> wrote:
On 26/07/15 04:01 PM, Igor Morozov wrote:
That's right, I messed up. Instead of typing fastmail.com, I typed fastmai.com. And now there is no way I can access my account. The only option is to send an email to this mailing list describing my problem and hope that somebody will help me out. Basically, that's what I'm doing right now.
Okay, so it can ask the user to provide the same email in two fields.
It could treat an unconfirmed account as a temporary placeholder and replace it if registration is done again for the same username.
It shouldn't be possible to log in without confirming the email unless all of the actions (voting, submitting packages, commenting, etc.) beyond editing account information are gated on whether the account is registered.
People tend to make mistakes. I'm not the only one who messed up during registration. And there is no easy way to get our account back. Mailing list is not the best option for account recovery. What if the misspelled email exists and the owner decides to proceed and register? What if the owner decides to do nasty things using my username, full name and email that looks alike? That would affect my reputation in the community since it's difficult to prove that I was not the bad guy. The usual "account activation" prevents this stuff. A lot of web sites do not automatically log user in after account confirmation, so it kind of prevents malicious activity (the bad guy doesn't know the password, you see).
Someone could have just created a fake account before you did, so it's really not an issue related to the confirmation design.
And by the way, the fact that you can use an unused (not registered) email in account recovery and not get any errors is frustrating. Took me 8 hours to realize that it says "okay", even though the email is not in use. Please, do something about it!
Emails aren't received instantly, so there's no error to report during registration.
And I just top posted, like a fool. On Sun, Jul 26, 2015 at 5:41 PM, David Kaylor <dpkaylor@gmail.com> wrote:
Wow, with a name ending in Morozov, you sure doth protest to much.
On Sun, Jul 26, 2015 at 4:29 PM, Daniel Micay <danielmicay@gmail.com> wrote:
On 26/07/15 04:01 PM, Igor Morozov wrote:
That's right, I messed up. Instead of typing fastmail.com, I typed fastmai.com. And now there is no way I can access my account. The only
option is to send an email to this mailing list describing my problem and hope that somebody will help me out. Basically, that's what I'm doing right now.
Okay, so it can ask the user to provide the same email in two fields.
It could treat an unconfirmed account as a temporary placeholder and replace it if registration is done again for the same username.
It shouldn't be possible to log in without confirming the email unless all of the actions (voting, submitting packages, commenting, etc.) beyond editing account information are gated on whether the account is registered.
People tend to make mistakes. I'm not the only one who messed up during registration. And there is no easy way to get our account back. Mailing list is not the best option for account recovery. What if the misspelled email exists and the owner decides to proceed and register? What if the owner decides to do nasty things using my username, full name and email that looks alike? That would affect my reputation in the community since it's difficult to prove that I was not the bad guy. The usual "account activation" prevents this stuff. A lot of web sites do not automatically log user in after account confirmation, so it kind of prevents malicious activity (the bad guy doesn't know the password, you see).
Someone could have just created a fake account before you did, so it's really not an issue related to the confirmation design.
And by the way, the fact that you can use an unused (not registered) email in account recovery and not get any errors is frustrating. Took me 8 hours to realize that it says "okay", even though the email is not in use. Please, do something about it!
Emails aren't received instantly, so there's no error to report during registration.
Le 26/07/2015 22:29, Daniel Micay a écrit :
On 26/07/15 04:01 PM, Igor Morozov wrote:
That's right, I messed up. Instead of typing fastmail.com, I typed fastmai.com. And now there is no way I can access my account. The only option is to send an email to this mailing list describing my problem and hope that somebody will help me out. Basically, that's what I'm doing right now. Okay, so it can ask the user to provide the same email in two fields.
It could treat an unconfirmed account as a temporary placeholder and replace it if registration is done again for the same username.
It shouldn't be possible to log in without confirming the email unless all of the actions (voting, submitting packages, commenting, etc.) beyond editing account information are gated on whether the account is registered.
People tend to make mistakes. I'm not the only one who messed up during registration. And there is no easy way to get our account back. Mailing list is not the best option for account recovery. What if the misspelled email exists and the owner decides to proceed and register? What if the owner decides to do nasty things using my username, full name and email that looks alike? That would affect my reputation in the community since it's difficult to prove that I was not the bad guy. The usual "account activation" prevents this stuff. A lot of web sites do not automatically log user in after account confirmation, so it kind of prevents malicious activity (the bad guy doesn't know the password, you see). Someone could have just created a fake account before you did, so it's really not an issue related to the confirmation design.
And by the way, the fact that you can use an unused (not registered) email in account recovery and not get any errors is frustrating. Took me 8 hours to realize that it says "okay", even though the email is not in use. Please, do something about it! Emails aren't received instantly, so there's no error to report during registration.
Sorry to respond so late, but I had a little idea (but maybe it’s not a good one) to enhance things here. OP was concerned about the owner of the false adress being capable to do nasty things. Since it seems we ask for PGP key, would it be possible for the server to encrypt the account confirmation mail ? And check that (one of) the email(s) on the key correspond to the one provided during registration (to help once again avoiding typos, but see also below)? Thus, even if the malicious bad guy registers a false account using your nickname and your full name, they are two possibilities: – he registers with an email he owns, using a false GPG key. You may then prove this and show it wasn’t you (which was the concern). – he registers with your key, but then the email verification step blocks him. Any thoughts?
On Tue, 25 Aug 2015 at 01:42 Bruno Pagani <bruno.pagani@ens-lyon.org> wrote:
Le 26/07/2015 22:29, Daniel Micay a écrit :
On 26/07/15 04:01 PM, Igor Morozov wrote:
That's right, I messed up. Instead of typing fastmail.com, I typed fastmai.com. And now there is no way I can access my account. The only option is to send an email to this mailing list describing my problem and hope that somebody will help me out. Basically, that's what I'm doing right now. Okay, so it can ask the user to provide the same email in two fields.
It could treat an unconfirmed account as a temporary placeholder and replace it if registration is done again for the same username.
It shouldn't be possible to log in without confirming the email unless all of the actions (voting, submitting packages, commenting, etc.) beyond editing account information are gated on whether the account is registered.
People tend to make mistakes. I'm not the only one who messed up during registration. And there is no easy way to get our account back. Mailing list is not the best option for account recovery. What if the misspelled email exists and the owner decides to proceed and register? What if the owner decides to do nasty things using my username, full name and email that looks alike? That would affect my reputation in the community since it's difficult to prove that I was not the bad guy. The usual "account activation" prevents this stuff. A lot of web sites do not automatically log user in after account confirmation, so it kind of prevents malicious activity (the bad guy doesn't know the password, you see). Someone could have just created a fake account before you did, so it's really not an issue related to the confirmation design.
And by the way, the fact that you can use an unused (not registered) email in account recovery and not get any errors is frustrating. Took me 8 hours to realize that it says "okay", even though the email is not in use. Please, do something about it! Emails aren't received instantly, so there's no error to report during registration.
Sorry to respond so late, but I had a little idea (but maybe it’s not a good one) to enhance things here.
OP was concerned about the owner of the false adress being capable to do nasty things. Since it seems we ask for PGP key, would it be possible for the server to encrypt the account confirmation mail ? And check that (one of) the email(s) on the key correspond to the one provided during registration (to help once again avoiding typos, but see also below)?
Thus, even if the malicious bad guy registers a false account using your nickname and your full name, they are two possibilities:
– he registers with an email he owns, using a false GPG key. You may then prove this and show it wasn’t you (which was the concern). – he registers with your key, but then the email verification step blocks him.
Any thoughts?
Why don't we do what every other site does and have a confirm email field? Or a way to change passwords over ssh, since putting in a public key is a field on registration as well? - Justin
On 08/24/2015 07:44 PM, Justin Dray wrote:
Why don't we do what every other site does and have a confirm email field? Or a way to change passwords over ssh, since putting in a public key is a field on registration as well?
- Justin
https://lists.archlinux.org/pipermail/aur-dev/2015-August/003736.html -- Eli Schwartz
Am 26. Juli 2015 22:01:11 MESZ, schrieb Igor Morozov <moroz@fastmail.com>:
Hello, everyone!
So today I decided to contribute to AUR and register an account. I was pretty surprised by the fact that registration form asked me about SSH and PGP key information, but never asked me about password. At the moment, I was impressed. Not for long, though. I was pretty confused by the fact that I will receive a "reset password" email. Soon after that, I realized that it might be some kind of "account confirmation". The common way of confirming emails is using some "confirmation link". Keeping it simple, AUR got rid of such an ugly feature and basically confirms that email is correct by letting the email owner set the password. Great idea, right?
Wrong.
I would love to call it a great idea. It really follows "keep it simple" principle. Instead of implementing email confirmation, AUR seems to use the simple principle: "If you can set the password, you're definitely the legitimate owner". I would have supported this concept if it wasn't for one thing: I can't access my own account. That's right, I messed up. Instead of typing fastmail.com, I typed fastmai.com. And now there is no way I can access my account. The only option is to send an email to this mailing list describing my problem and hope that somebody will help me out. Basically, that's what I'm doing right now.
People tend to make mistakes. I'm not the only one who messed up during registration. And there is no easy way to get our account back. Mailing list is not the best option for account recovery. What if the misspelled email exists and the owner decides to proceed and register? What if the owner decides to do nasty things using my username, full name and email that looks alike? That would affect my reputation in the community since it's difficult to prove that I was not the bad guy. The usual "account activation" prevents this stuff. A lot of web sites do not automatically log user in after account confirmation, so it kind of prevents malicious activity (the bad guy doesn't know the password, you see).
I would love to see the community grow as much as I would love to get my account back, so I wrote this message in a way that might start a discussion. I might be wrong about "bad design", though. So I welcome replies that explain why this design is better than others.
And by the way, the fact that you can use an unused (not registered) email in account recovery and not get any errors is frustrating. Took me 8 hours to realize that it says "okay", even though the email is not in use. Please, do something about it!
-- Best regards, Igor Morozov moroz@fastmail.com
... or you could ask on the AUR mailing list, if some operator could help you with your problem. You inflate this issue beyond any reason. If you have an account problem, wait for a reasonable time and ask an Op. If you think the design is flawed, open a bug report for the project bug tracker in the main Arch bugzilla and propose a new mechanism.
participants (7)
-
Bruno Pagani
-
Daniel Micay
-
David Kaylor
-
Eli Schwartz
-
Igor Morozov
-
Justin Dray
-
Sascha Shaw