- make the lost password module better (I think Lazlo's work is a good start)
I certainly aim to make it more obvious as to the process involved. Some of the confusion certainly comes from some of the english language defines being written some whose first language isn't english. I'll be looking at keeping this as simple as possible while maintaining the security of the process.
- give a choice at installation to choose a 2 way encryption for the password (and then make the password retrieval in only 1 step)
This is an incredidbly difficult feature to code as this would require significant changes. I personally see a one way hashed password as a minimum for a web application. Think about
security issues resulting from the transmission of decodable content over the web, think about the potential abuse from a site admin that could decrypt users passwords - How many
PN sites are you signed up too?, Do you use the same password for each? Now if I could get you to signup to my site and could then decrypt your password and use it to gain access to other sites you've signed up too... Next question do you use the same password for your
PN sites admin password as your do for signups on other
PN sites (I hope not..)
As you can there are many, many issues. Saying that i'm in the process of opening up the authentication process to a more module structure so that new authentication module can be written to authenticate users to other source be it an
LDAP directory, an existing
DB (say phpbb etc.). So it would be possible for you to write an auth module with weaker encrytion.
- give an option to let the users choose their password at signup
Done....
- give an option to force users to activate their membership by clicking on a link in their mail
Done....
- give admin a function to wipe unactivated accounts after a period of time set by admin
Currently with
PN .8 this could be done via an
SQL query that would take the acivated status and the registration date. However I can look at adding this as an admin selectable option.
Overall I think you've got some good ideas but possibly 'hold the hand' of your users a little too much. Sometimes you have to be willing to say "that's the way it works and here's why".
Working in a university I quite often find that users will ask and ask for something to made easier until you sit down with then and show then how and why something works the way it does and state clearly that's not going to change at which point they learn how to do it and get on with it. Not to say that this could or should apply to your users but.....
Note that one of the overall goals for
PN .8 is for a significant improvement in accessability and usability. This is being done in a number of ways. Firstly a significant cleaning of the outputed
HTML, significant reduction in the use of tables
i.e. CSS layouts with tables used for tabluar data, compliance with a strict
HTML doctype. Thento look at each process to make sure that it functions in the easiest way possible while not compromising security.
However security and usability are often at odds with other and is something that even corporate software authors struggle with. Take OutLook as an example; ease of use features like automatically displaying the contents of e-mail and attachments. While this made the process of reading e-mail simpler it's obvious the security that have been caused by this usability feature. Now if we look at the bigger picture has this really made things easier or has the ease by which virus can be spread meant there are more virus, meaning people have to take more steps to protect themselves. Ultimately meaning that the process of reading one's e-mail is now MORE difficult as the result of a feature that was meant to make it EASIER. A classic example of cause and effect at work.
-Mark
--
Visit
My homepage and
Zikula themes.
