Anope IRC Services

Anope Development => Feature Requests => Topic started by: Obi Wan on July 25, 2009, 04:16:29 PM

Title: /ns sendpass <nick> <email>
Post by: Obi Wan on July 25, 2009, 04:16:29 PM

I thought about something. I'm used to it from other services that if you want to use sendpass you will have to use /ns sendpass <nick> <email>. Services would then check if the email address corresponds correctly to the given nickname and then sends out the password (or sends out a new password for that user account)

I think that would be a very good function for users who have forgotten their password. The reason I'm starting this is that some of my users quite often forget their passwords and now they would first have to identify to do a sendpass on their nick which makes the function currently as it is quite useless.

Thanks

Title: Re: /ns sendpass <nick> <email>
Post by: Darth Panda on July 26, 2009, 02:36:53 PM

I'm always very fond of the "human element" when it comes to these kinds of things. While I'm not opposed to this idea, I'd like to think that having your staff talk to the user in question and ask them verifying questions like "what's the email address that you registered with?" and checking Nickserv's ACCESS list to see if the host they are from even matches something on the list and ask questions about their nick and their channel access and see if the information that is received matches the info on file that is not displayed to the public. That'll give you an idea as if this is the real owner or not. Since email isn't generally encrypted when it's sent from services you are broadcasting passwords in plain text as well as possibly sending the password to someone that has hijacked this users email account and now what into their IRC account as well. SENDPASS to me is taking a users password and throwing it blindly at a target and hoping the correct person catches it.

Many hackers use social engineering to get users to share personal information, there is no reason your staff can't do the same. Then after they are comfortable that they are talking to the real owner, set a new password for them. Some admins will not like this approach because their staff will actually have to do something constructive to earn their O:Line on their tiny network since in today's IRC software everything seems to be automated.

Title: Re: /ns sendpass <nick> <email>
Post by: Obi Wan on July 26, 2009, 03:02:28 PM

The think I actually thought of, as I said on irc yesterday, currently sendpass just won't have any use  however it could be enhanced to make it a usable function. Maybe completely rewrite it or something. I just think services should have a "I forgot my password" function. Maybe reset the password into something random like a forum does it or something like that.