search

PencilCode / jquery-turtle

Turtle Graphics for JQuery
Other
44 stars 25 forks source link

Collect email address when creating username / pass #14

Closed premr closed 10 years ago

premr commented 10 years ago

Allows for account recovery, tracking, emailing updates, etc.

premr commented 10 years ago

Even better, allow OpenID login via FB / Twitter / Goog logins.

davidbau commented 10 years ago

This would have to be implemented carefullly to avoid running afoul of COPPA. The suggestion on the COPPA guideline website is that we can collect an email address for password recovery, but we may not store it. Instead, we should store a hash of it. If a user wants to reset the password, they can enter their email address, and we verify it with the hash, and then send out reset instructions.

We can't store an email address, and we cannot send update messages to an email address. There is a COPPA exception for one-time-use (e.g., at the moment that password recovery is needed).

I do not know if this hashing scheme is possible with OpenID.

The other possibility is to run the website in a 501c(3), which is also COPPA exempt.

Right now the password recovery scheme is just "send a note to David Bau and he will trust that you are being a normal civilized person, and he will just reset your password".

premr commented 10 years ago

forgot about COPPA ...

On Thu, Jan 16, 2014 at 10:57 PM, David Bau notifications@github.comwrote:

This would have to be implemented carefullly to avoid running afoul of COPPA. The suggestion on the COPPA guideline website is that we can collect an email address for password recovery, but we may not store it. Instead, we should store a hash of it. If a user wants to reset the password, they can enter their email address, and we verify it with the hash, and then send out reset instructions.

We can't store an email address, and we cannot send update messages to an email address. There is a COPPA exception for one-time-use (e.g., at the moment that password recovery is needed).

I do not know if this hashing scheme is possible with OpenID.

The other possibility is to run the website in a 501c(3), which is also COPPA exempt.

Right now the password recovery scheme is just "send a note to David Bau and he will trust that you are being a normal civilized person, and he will just reset your password".

— Reply to this email directly or view it on GitHubhttps://github.com/PencilCode/jquery-turtle/issues/14#issuecomment-32578421 .

Prem

"I have an almost complete disregard of precedent, and a faith in the possibility of something better. It irritates me to be told how things have always been done. I defy the tyranny of precedent. I go for anything new that might improve the past." - Clara Barton, Founder of the Red Cross

davidbau commented 10 years ago

Ported to pencilcode-site.