Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Collect email address when creating username / pass #14

Closed
premr opened this issue Jan 16, 2014 · 4 comments
Closed

Collect email address when creating username / pass #14

premr opened this issue Jan 16, 2014 · 4 comments

Comments

@premr
Copy link

premr commented Jan 16, 2014

Allows for account recovery, tracking, emailing updates, etc.
@premr
Copy link
Author

premr commented Jan 16, 2014

Even better, allow OpenID login via FB / Twitter / Goog logins.

@davidbau
Copy link
Member

This would have to be implemented carefullly to avoid running afoul of COPPA. The suggestion on the COPPA guideline website is that we can collect an email address for password recovery, but we may not store it. Instead, we should store a hash of it. If a user wants to reset the password, they can enter their email address, and we verify it with the hash, and then send out reset instructions.

We can't store an email address, and we cannot send update messages to an email address. There is a COPPA exception for one-time-use (e.g., at the moment that password recovery is needed).

I do not know if this hashing scheme is possible with OpenID.

The other possibility is to run the website in a 501c(3), which is also COPPA exempt.

Right now the password recovery scheme is just "send a note to David Bau and he will trust that you are being a normal civilized person, and he will just reset your password".

@premr
Copy link
Author

premr commented Jan 17, 2014

forgot about COPPA ...

On Thu, Jan 16, 2014 at 10:57 PM, David Bau notifications@github.comwrote:

This would have to be implemented carefullly to avoid running afoul of
COPPA. The suggestion on the COPPA guideline website is that we can collect
an email address for password recovery, but we may not store it. Instead,
we should store a hash of it. If a user wants to reset the password, they
can enter their email address, and we verify it with the hash, and then
send out reset instructions.

We can't store an email address, and we cannot send update messages to an
email address. There is a COPPA exception for one-time-use (e.g., at the
moment that password recovery is needed).

I do not know if this hashing scheme is possible with OpenID.

The other possibility is to run the website in a 501c(3), which is also
COPPA exempt.

Right now the password recovery scheme is just "send a note to David Bau
and he will trust that you are being a normal civilized person, and he will
just reset your password".


Reply to this email directly or view it on GitHubhttps://github.com//issues/14#issuecomment-32578421
.

Prem

"I have an almost complete disregard of precedent, and a faith in the
possibility of something better. It irritates me to be told how things have
always been done. I defy the tyranny of precedent. I go for anything new
that might improve the past." - Clara Barton, Founder of the Red Cross

@davidbau davidbau mentioned this issue Feb 1, 2014
Open
@davidbau
Copy link
Member

davidbau commented Feb 1, 2014

Ported to pencilcode-site.

@davidbau davidbau closed this as completed Feb 1, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@premr @davidbau