On 2012-07-08 5:45 PM, Andy Parkins wrote:
> If, the VPS owner has chosen to disable password reset (which for a security
> sensitive site, they almost certainly should -- emails aren't secure), then
> it is their duty to supply a public-key method of verifying their identity.
> If they haven't done that then I don't think it's unreasonable for you to
> require any level of:
>
> - Birth certificate
> - Utility bill
> - Passport
> - Freshly made photo of them holding today's paper with a secret phrase of
> your choice written on it.
> - An unlocking payment from the same source as the original VPS purchase
Imagine this. Someone walks into my house, grabs my ID document, a
utility bill and scans it (have no passport). These are all on my desk.
The photo is also easy (using macbook pro's camera). They have already
hacked into my e-mail, so sending the payment is not an issue (they have
my mac password, e-mail password, paypal/google pay password, which are
all of course the same[1]. Bingo.
[1] I have seperate passwords for everything. All in 1-Password. Secured
with a 18-character password. Won't happen here, but can at other places
I'm sure.
> In short: paranoia. Disabling password reset implies a level of security
> that should be maintained. It's saying "I take full responsibility for the
> password to this VPS, and if I lose it, I accept that I may never get access
> again".
Put a note on the site. "If you disable password reset you take full
responsibility for not losing your access details. You also confirm that
bitfolk will be unable to help you
