Current time: 04-23-2014, 03:49 AM Hello There, Guest! (LoginRegister)

Post Reply 
password recovery: is anyone happy?
05-05-2011, 06:15 PM
Post: #5
RE: password recovery: is anyone happy?
(04-30-2011 02:25 PM)tomtavoy Wrote:  The password recovery process gets discussed from time to time, but nothing ever happens. Well, maybe a significant number of customers are perfectly happy with the status quo.

I'm not perfectly happy with anything. But DHs system is convenient enough.

Quote:So if anyone likes the way things are, I invite them to say so here, and why.

Did I mention it was convenient? Oops, yah, did that.
Have I ever needed it? Nope.
Has my password ever been stolen? Nope.
Do I rotate administrative passwords on a reasonably frequent (..if perhaps irregular) basis? You betchya.
Do I have GMail? Sure, why not.
Do I use GMail for web or network administration purposes? Hell no.

But why wouldn't I complain?
Because there's about a gazillion other things I'd rather have the DH folks deal with than molly-coddling them that can't be arsed to remember their own administrative passwords.

Quote:To set the scene, I will say what happens now; then I will say what I think is wrong with it. Then (as a probably irrelevant appendix) I will say what I think *should* happen.

(..deletia..)
(2) WHAT IS WRONG WITH IT
First, three lemmas:
Lemma 1: dreamhost actively encourages the use of gmail
[img]http://tavoy.net/pix/dh110430a.jpg[/img]

Ok, that's worth a big LOLZ if it's your idea of evidence that DH "actively encourages" GMail for administrative accounts.

Quote:Lemma 2: gmail actively discourages deletion of messages
[img]http://tavoy.net/pix/dh110430b.jpg[/img]

Do you use GMail for bank accounting or credit cards or ANYTHING other than maybe a Facebook subscription?
If so, it's a clever strategy you *may* want to re-think.

Quote:Lemma 3: the dreamhost password recovery email actively encourages you not to fret
[img]http://tavoy.net/pix/dh110430c.jpg[/img]

And yet here you are still fretting over it.

(..deletia..)
Quote:This means that whenever you are logged into gmail, if anyone (your prankster brother-in-law, for example) gets hold of your keyboard, while your back is turned for just a few seconds, they can do a quick "search mail" for the text "don't fret", which will bring up any emails which dreamhost has sent you containing your password. They can then return the screen to your inbox, and when you come back a few seconds later, you will be none the wiser. I just tried it, and the process took 7 seconds.

Ok, *definitely* worth a big LOLZ.

If you're logged into an administrative account on your computer and your bro-in-law japes you on it - you got what ya planned for. Which is to say, your clever administrative scheme has failed and you need to devise a new one. If your THAT INCREDIBLY CARELESS with your administrative information you're just not administrative material.

Quote:(3) QUESTION: is anyone happy with this?

Actually, I'm more satisfied with it now then when I started reading this post. This scheme weeds out the people who think they know how the Internet works and gives them an abject lesson in how much they need to learn.

Quote:(4) WHAT I THINK SHOULD HAPPEN
I'm adding this section so that people don't get the idea that doing things properly would make the process horribly complicated. It's actually really simple. The password recovery button should cause an email to be sent to your email address, containing a time-limited invitation to a dialog that asks you your security question and then reveals your password.

Better hope that prankster-in-law of yours doesn't figure out you leave your bank account info on GMail or you're may (unwittingly) be buying the beer on his next fun drinking binge. So when that hot chick with an awesome pink headband goes jogging by, keep your eyes on your keyboard lest mayhem occur.

The additional step you're proposing just means another 7 seconds added to the process. Your brother-in-law takes 14 seconds to steal your password instead of 7. If you're using GMail for your admin account(s) you've made a mistake and DH is certainly NOT to blame for it. If you have told your computer to remember a password that it should NOT know and you SHOULD know, again, you've made a mistake that DH is not to blame for.

Dreamhost should add a wiki page about very basic administrative password management and move on to more important things.

Now I'm off to go see how many people in my apartment complex have open wireless connections on their home routers; some Nigerian dude promised me $10,000,000 US if I'd help him send a few anonymous emails and daddy needs a new pair of shoes. And lots of hookers and blow. And maybe a nice Ferrari too.
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
RE: password recovery: is anyone happy? - netdcon - 05-05-2011 06:15 PM

Forum Jump: