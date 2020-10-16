You can combine the email, a user ID and “random” key, and hash the lot into a key.
That way the private info isn’t in plain text in the URL, but the info is there to reference it to the valid user account.
I love this concept,
But i have big questions
If is in plain text does it mean someone privacy have been breached?
Was the url containing the users email published on the site pages?
Was it not sent to the very email that owns it?
And if some one reads the email it does mean the person already have the email address you intend hiding from and much more can even access the said email?
This question i really need to know, if the url is sent via none https protocol what will happen? Who read’s the content and how?
Even though everyone can read the content, they won’t know this email is donald trump email or prince Richard email.
So they sit recording email addresses whose owners they know not?
Apart from spamming or marketing purpose is a waste of time doing that.
Even they can simply keep checking yahoo or gmail.com registration page with generic email names and once it said this email already exist they will add it to their records
Every hacker has a target, there are over billions of emails littering everyone. One jobless fellow saw something like
dontdo@yahoo.com and start trying to hack it or what?
What i consider a privacy breach is
Donald trump (president usa)
Email:
donald@unknown.com
Phone: 555555555555555
That’s what a privacy breach is because is so descriptive, not a random url that holds nothing but email address
I posted an email example@example.com
On my public website, and someone saw it and said oh! That’s my email address am suing for GPDR , when he gets to court what exactly will he tell them?
That i said hey guys this email belong to jark or john?
I rather focus my energy on ensuring the
Content is transmitted to the user securely, using https as @rpkamp had pointed out but wont stress myself with privacy laws.
Your choice obviously, but fines for not following them are severe.
To you maybe, but not to the law [in the EU, GDPR]. Under law any leaking of Personally Identifiable Information or failing to remove this when requested is a privacy breach.
And along the lines of GDPR, this is partly why 3rd party processors exist; Why does Paypal exist? Because people dont want to give their credit card details to every website they shop with; Paypal sits in the middle and says “Yes, that user can purchase the item, Paypal certifies the money is available.”
Same way that “Login with Google” works - you don’t need to give your password to the website, Google is trusted by the website, and says “Yes, this person is logged in as
johndoe@example.com, treat them as such.” Your website doesnt need to (or even have access to) their password, but you’ve still got a verified login.
Wow! This is serious matter.
Yes you are right, but hacking emails or gmail and as such if one google account have been hacked the hacker can login to all the sites you are linked to which i found very disturbing.
Is it not safe to limit the access to only one affected site? If Facebook or Twitter is hacked and more 20 sites are doing login with social media, the hacker will simply access those sites once they have a hold of your gmail or facebook account.
Don’t you think is a cause for concern?
If you’re going to be concerned about that, get off of the internet. It’s the only way to be safe.
shrug
People are stupid. Most people reuse passwords. At which point, a hack on one site is a hack on all sites. I’d rather put my trust in a multibillion dollar company’s security team over you sitting in your basement.
Just my opinion.
No. Their security is top notch. Their privacy, on the other hand…
Well just scared but am not leaving the internet for any reason, the benefits are enormous
So if ones gmail or facebook is hacked, he or she caused the hacked? By weak passwords or some mischievous deeds?
Those guys have alot on their shoulders to deal with, knowing that one security mistake either by them or by careless users can jeopardize other websites security depending on them.
Facebooks are hacked, is a none disputable facts, just like my weak basement website are hacked too.
But then if a Facebook account is hacked and sitepoint is not using login with Facebook, then the hacker has more work to do.
But if my Facebook account is hacked, the hacker in one flip will access my sitepoint, my highpoint, my unusedpoints and virtually all sites i have account with.
Note i maintain a one password for each website policy. So i know where the rain is coming from.
For starters, Gmail fingerprints the device/location from which you normally log in. If it detects anything suspicious (e.g. VPN usage, different location etc) then it requires you to verify yourself. Also, there’s no excuse for not having 2fa enabled nowadays.
This is the key
and
I already seemed to have kicked a hornets nest with this post, so I am reluctant to kick it again but yes 2fa is pretty secure but when you travel a lot and reside mostly outside countries with reliable admin or phone service it can be frustrating.
You can wait hours for an sms, if it ever arrives before the initial request times out.
I have had problems where I needed to request subsequent verification code only to receive the original code, now redundant because I requested another - very confusing.
My bank registered my wife’s phone number so now when I have to respond to their 2fa, I have to call her. Since it is her phone number registered she is the only one that can change it but she doesn’t have a bank card as ID so they won’t let her
Some people even now do not have smart phones in some areas
I know these examples only apply in certain locations but if you are in one of those areas then they can be common and they do add another level of user frustration
So I do prefer to have a one step verification
I like this idea, I will investigate - thanks
I just love this sweeping statement and I am going to use it as often as possible
Entirely your choice. Security (and privacy) is always a trade off with convenience.
You also have to ask yourself how terrible it would be if your account got compromised. If the answer is “not very”, then a one step verification is fine. If the answer is “utterly”, then IMO it’s probably worth the inconvenience.
Also, SMS is not the perfect approach to 2fa (because of sim hijacking etc). Better would be that you have an authenticator app to generate a time-based one-time pass code for you to enter as your second factor. No waiting around necessary. I do acknowledge though that some companies don’t offer this (Paypal for instance).
All security measures worth the inconvenience, if you travel alot then is safer to use google authenticator app as it does not require internet or SMS.
Though not all banks supports this method but most sites does.
Refering to my previous answer, this is the method I was thinking about, though I did not recall it exactly as explained here:-
But though this is for a password reset email, I think it would also work just the same for email verification.