-
mathieui
could we standardize a common private pep namespace for keeping account secrets?
-
mathieui
I mean, account recovery is the most painful thing
-
MattJ
What are you proposing to store in there?
-
pep.
Everything that would be useful to cop^Widentify a user
-
MattJ
Well that's basically it
-
MattJ
The traditional solution is to have a secondary contact method (usually email, possibly phone number)
-
pep.
Yeah. That's also what I would do, an optional secondary contact method
-
pep.
And if there isn't one, too bad
-
MattJ
Yes, it should be the user's choice. No recovery contact, no recovery.
-
MattJ
Or you know what we could do? Have the user provide some secret arbitrary string for their account, which, upon presentation, proves they are the account owner...
-
pep.
Yeah riseup does that
-
pep.
And that can be automated even
-
pep.
The server could even generate it itself during account creation
-
MattJ
The joke was that I was describing passwords 🙂
-
pep.
Heh
-
MattJ
And we know all the things we do to protect passwords already. If we have recovery secrets, we'd need to do the same for those unless we want to weaken security. And if the user can't remember the password, how can they remember a (secure) recovery string?
-
pep.
Who manages xmpp.work nowadays? I just realized "free software" (/ foss) wasn't a label there. Is there a way to add it?
-
emus
pep.: I think guus offered to support