-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Collect email address when creating username / pass #14
Comments
Even better, allow OpenID login via FB / Twitter / Goog logins. |
This would have to be implemented carefullly to avoid running afoul of COPPA. The suggestion on the COPPA guideline website is that we can collect an email address for password recovery, but we may not store it. Instead, we should store a hash of it. If a user wants to reset the password, they can enter their email address, and we verify it with the hash, and then send out reset instructions. We can't store an email address, and we cannot send update messages to an email address. There is a COPPA exception for one-time-use (e.g., at the moment that password recovery is needed). I do not know if this hashing scheme is possible with OpenID. The other possibility is to run the website in a 501c(3), which is also COPPA exempt. Right now the password recovery scheme is just "send a note to David Bau and he will trust that you are being a normal civilized person, and he will just reset your password". |
forgot about COPPA ... On Thu, Jan 16, 2014 at 10:57 PM, David Bau notifications@github.comwrote:
Prem "I have an almost complete disregard of precedent, and a faith in the |
Ported to pencilcode-site. |
Allows for account recovery, tracking, emailing updates, etc.
The text was updated successfully, but these errors were encountered: