missing points?
| Project: | Local Email |
| Version: | 6.x-2.0 |
| Component: | Miscellaneous |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Hi; I just like to use the module ADDITIONAL to email and captcha / Mollom check, but both disappear when I ask for a new password.
I'm only intertested in more security (no fancy stuff) and don't want freaks to harass me clogging up my email account with unasked for password requests, or if they could hack an enmail account, just gtting th password by sending it to that account. So I like to have a private security question BEFORE that mail is send to me (or to other users).
Then I couldn't find the module back and how to turn off (I have many modules); its not in the admin user management menu. So I had to spend half an hour looking for where I found this module to remembre its name and then go to my modules dir tolook in the readme file, to remember where and what settings I'd s=changed, in order to gt it back the normal way (with mail to user and captcha).
#1
I think you may have misunderstood the 'security question' feature in this module.
Primarily, this module simply allows users to register without supplying an email address.
That's all it does. It has nothing to do with increasing security. In fact it could be argued that allowing users to register without an email address increases their anonymity and so decreases your security. This module would only really be used for a CLOSED website membership; for schools/clubs/organisations/businesses where the members KNOW each other.
However, not supplying an email address causes a problem: Normally if a user forgets their password it will be sent to their email address, which is quite secure because no-one else should be able to access that address. But an email can't be sent if they haven't supplied an email. So the security question is like a second password - it just gives the user another chance to access their account and enter a new password without having to contact an admin.
However, again it could be argued that security is decreased, because a security question is usually less secure than a random alphanumeric password. For instance, if the security question was 'what is your favourite colour?', I could probably get into your account in under ten guesses. So admins *really* need to ensure they create questions which have hundreds of possible answers.
The conclusion is, if you are looking to increase security, DON'T use this module.
If you want users to join your site without supplying an email address, DO use this module (bearing in mind it doesn't actually work yet), and be aware that it decreases security.