Hobos are Cheap Robots
I've hated, since time began, most web-based "verification" services: those that require you to enter your age, to click a link in a "return email" (or to even enter your email at all), to read some fuzzy letters in CAPTCHA (hopelessly inaccessible), and so on. The topic of verification and login came up in today's development chat of Drupal (the best CMS eveerrrR), and my stance was, simply, that I didn't want to ask for email addresses at all (I don't care for 'em, so why should I even store 'em?), nor perform verification on them. The immediate response was "Well, how will you tell a robot from a human?". My reply was simply:
Vertification with CAPTCHA, or anything else, can be easily broken by waving a twenty at a hobo.
This prompted one person to sway their opinion. There are, of course, many other approaches to the verification issue: for example, "how would you stop duplicate accounts?", to which I'd reply (cunningly and without a solution) that the mass availability of free accounts prevents the email address metric from even being considered.
Drupal developers want to give administrators choices: to allow them to customize the login process as they feel is appropriate, and to streamline it so the user can take advantage of the Drupal goodies as soon as possible. I'm fine with choices: hell knows I love clicking little boxes. But, give me the opportunity to choose no choice at all: to disable email collection and verification of any sort. Then I'll be happy.
- 11350 reads
Too often have it tried to circumvent this *hardcoded* part in Drupql. Till now, the only real solution was a hack to core. And hacks are never real solution, I I contradict myself there.
Agreed, from a Drupal point of view, flexibility is great (as mentioned in that thread, an option to implement a system of your choice would be best). However, in a signup system that doesn't use email addresses, how will you accomplish password recovery? The only real solution I can think of is to have a *shudder* "password phrase", or find that all your users just create dupe accounts whenever they lose their passwords..
i hate hobos but i love james
I agree with Gatsby... The reason I require an email address in my signup has nothing to do with trying to prove that my users are who they say they are -- I don't really care so much... it's just about providing a semi-reasonable way for them to retreive their password information if they happen to forget it or worse their username. Making email addresses unique is a requirement of the retrieval system (they can have as many email addresses as they want, and try each on the retreive password form until they find the right one), it's merely a perk that it happens to also reduce the amount of duplication (I'm not out to eliminate it all together, but having less of it is nice).
I'm unfortunately knee deep in a total overhaul of my own account management / security suite because I held on to backward compatibility for way too long... It's my own damn fault, however, I will say that there are / will be no issues with login / signup info being "hard coded" in my codebase. My framework (properly implemented) makes it pretty darned unlikely that such a situation would ever occur. Maybe I'll build something to compete with Drupal some time this year. :-)
Post new comment