[IRCServices] Suggestion
Yusuf Iskenderoglu
uhc0 at rz.uni-karlsruhe.de
Mon Mar 19 00:11:01 PST 2001
Hello;
On Mon, 19 Mar 2001, Andrew Church wrote:
> Since users having their passwords taken almost certainly means they
> chose an easy-to-guess password, the right solution is to educate the
> users. I don't see why Services should have to run through hoops to try
> and solve this problem. (Of course, if your server is being
> packet-sniffed, then you have other problems altogether.)
This is correct, but you also have to see, that passwords are "guessed"
via scripts, which use sockets (mirc has socket events e.g.) And start a
good amount of connects, each with 3 nick password guesses, sure it takes
time on good passwords, but sometimes users simply cannot stop themselves
from setting the cellular phone number as their password, su suddenly it
gets limited to numbers only etc, etc.
What I will offer is definitely not the perfect solution, but can really
help to identify, who is who, when recovering passwords:
Two of the features I personally (with my limited knowledge of coding)
added to services include the sendpass architecture, and a nickname
authentication system, which operate the following way.
Each time a nickname is registered, a nick gets an authentication code, a
la dalnet, which cannot be changed, and which is not shown. Thi code is
emailed to the address given with the register command. After that, the
person has to issue /nickserv AUTH <code> within some services.conf days,
or the registration will expire. If people claim to have lost their
passwords, but can prove that they have the authentication code, because
it was emailed to them, a services oper can issue /nickserv GETAUTH nick,
and check the real authentication code against the given, if they match,
it is highly possible that the person is the real owner, so
sendpass/getpass can be issued.
Regards,
yusuf
Yusuf Iskenderoglu *** eMail uhc0 at rz.uni-karlsruhe.de