[aur-general] Registering, misspelling email, losing account

[Justin Dray]

On Tue, 25 Aug 2015 at 01:42 Bruno Pagani <bruno.pagani at ens-lyon.org> wrote:

> Le 26/07/2015 22:29, Daniel Micay a écrit :
> > On 26/07/15 04:01 PM, Igor Morozov wrote:
> >> That's right, I messed up. Instead of typing fastmail.com, I typed
> >> fastmai.com. And now there is no way I can access my account. The only
> >> option is to send an email to this mailing list describing my problem
> >> and hope that somebody will help me out. Basically, that's what I'm
> >> doing right now.
> > Okay, so it can ask the user to provide the same email in two fields.
> >
> > It could treat an unconfirmed account as a temporary placeholder and
> > replace it if registration is done again for the same username.
> >
> > It shouldn't be possible to log in without confirming the email unless
> > all of the actions (voting, submitting packages, commenting, etc.)
> > beyond editing account information are gated on whether the account is
> > registered.
> >
> >> People tend to make mistakes. I'm not the only one who messed up during
> >> registration. And there is no easy way to get our account back. Mailing
> >> list is not the best option for account recovery. What if the misspelled
> >> email exists and the owner decides to proceed and register? What if the
> >> owner decides to do nasty things using my username, full name and email
> >> that looks alike? That would affect my reputation in the community since
> >> it's difficult to prove that I was not the bad guy.
> >> The usual "account activation" prevents this stuff. A lot of web sites
> >> do not automatically log user in after account confirmation, so it kind
> >> of prevents malicious activity (the bad guy doesn't know the password,
> >> you see).
> > Someone could have just created a fake account before you did, so it's
> > really not an issue related to the confirmation design.
> >
> >> And by the way, the fact that you can use an unused (not registered)
> >> email in account recovery and not get any errors is frustrating. Took me
> >> 8 hours to realize that it says "okay", even though the email is not in
> >> use. Please, do something about it!
> > Emails aren't received instantly, so there's no error to report during
> > registration.
> >
>
> Sorry to respond so late, but I had a little idea (but maybe it’s not a
> good one) to enhance things here.
>
> OP was concerned about the owner of the false adress being capable to do
> nasty things. Since it seems we ask for PGP key, would it be possible
> for the server to encrypt the account confirmation mail ? And check that
> (one of) the email(s) on the key correspond to the one provided during
> registration (to help once again avoiding typos, but see also below)?
>
> Thus, even if the malicious bad guy registers a false account using your
> nickname and your full name, they are two possibilities:
>
> – he registers with an email he owns, using a false GPG key. You may
> then prove this and show it wasn’t you (which was the concern).
> – he registers with your key, but then the email verification step
> blocks him.
>
> Any thoughts?
>
>
Why don't we do what every other site does and have a confirm email field?
Or a way to change passwords over ssh, since putting in a public key is a
field on registration as well?

- Justin