User notification by email of account detail changes
68 views
Skip to first unread message
Daniele Procida
Nov 15, 2015, 8:46:56 AM11/15/15
to Django Developers
I've been discussing with Florian on IRC a suggestion for improved account security.
On many sites, you will get a message a message like this:
>Hello evildmp,
>
>We wanted to let you know that your GitHub password was changed.
>
>If you did not perform this action, you can recover access by entering
>dan...@vurt.org into the form at https://github.com/password_reset.
>
>To see this and other security events for your account, visit https://
>github.com/settings/security.
>
>If you run into problems, please contact support by visiting https://
>github.com/contact or replying to this email.
(In fact my gumtree.com account was compromised, and this mechanism is how I learned about it, and was able to alert Gumtree and have a fraudulent advertisment removed from my account within minutes).
A similar thing would be valuable in Django, to help improve the security of all Django accounts and sites.
I am not sure how it could or should be implemented; Florian suggests as part of a more general audit framework.
On a related matter, my djangoproject.com account has an associated email address (not the same one as at code.djangoproject.com) but I don't think I am able to change that.
Daniele
On many sites, you will get a message a message like this:
>Hello evildmp,
>
>We wanted to let you know that your GitHub password was changed.
>
>If you did not perform this action, you can recover access by entering
>dan...@vurt.org into the form at https://github.com/password_reset.
>
>To see this and other security events for your account, visit https://
>github.com/settings/security.
>
>If you run into problems, please contact support by visiting https://
>github.com/contact or replying to this email.
(In fact my gumtree.com account was compromised, and this mechanism is how I learned about it, and was able to alert Gumtree and have a fraudulent advertisment removed from my account within minutes).
A similar thing would be valuable in Django, to help improve the security of all Django accounts and sites.
I am not sure how it could or should be implemented; Florian suggests as part of a more general audit framework.
On a related matter, my djangoproject.com account has an associated email address (not the same one as at code.djangoproject.com) but I don't think I am able to change that.
Daniele
Baptiste Mispelon
Nov 15, 2015, 8:55:23 AM11/15/15
to django-d...@googlegroups.com
For your djangoproject account, you can change your display name and
email there: https://www.djangoproject.com/accounts/edit/.
Baptiste
email there: https://www.djangoproject.com/accounts/edit/.
Baptiste
Daniele Procida
Nov 15, 2015, 8:58:03 AM11/15/15
to Django Developers
On Sun, Nov 15, 2015, Baptiste Mispelon <bmis...@gmail.com> wrote:
>For your djangoproject account, you can change your display name and
>email there: https://www.djangoproject.com/accounts/edit/.
Heh, thanks, not even Florian was aware of that.
>For your djangoproject account, you can change your display name and
>email there: https://www.djangoproject.com/accounts/edit/.
Is this documented somewhere?
Daniele
Baptiste Mispelon
Nov 15, 2015, 9:22:06 AM11/15/15
to django-d...@googlegroups.com
I don't think it's documented anywhere.
I found the link by going to https://www.djangoproject.com/~bmispelon/
(replace by your username) and there was a link to it in the right side bar.
Baptiste
I found the link by going to https://www.djangoproject.com/~bmispelon/
(replace by your username) and there was a link to it in the right side bar.
Baptiste
Josh Smeaton
Nov 15, 2015, 5:34:58 PM11/15/15
to Django developers (Contributions to Django itself)
I'm not sure something like this should live inside Django proper. There is nothing to guarantee that a user model will have an email address even though the standard builtins do. I'd feel better about having this functionality provided by a library, maybe even by django-registration which we're considering taking under the django organisation on github anyway. Of course, requiring a library to provide this feature means most users won't use it. That'd be the major trade off.
Cheers
Caique Reinhold
Nov 16, 2015, 5:50:49 AM11/16/15
to Django developers (Contributions to Django itself)
I think it could be a good feature to be implemented as part of the auth app.
Reply all
Reply to author
Forward
0 new messages