[wp-forums] angelin.deboral lost the email to her old user ID

Otto otto at ottodestruct.com
Thu Sep 8 16:30:54 UTC 2011 

We've been handling this through the password reset email address a
fair amount (pw-reset-2011 at wordpress.org). They should email there.

My general approach is that if I can find positive proof that the
person is the same, then I change the email and give them the account
back.

What constitutes proof?
- If they have a URL on the account and still own that site, then I
ask them to put a post or a text file up proving that they own it.
- Custom domains have WHOIS records that can be useful for verifying
site ownerships.
- If they can tell me what the email address was before (email
addresses are hidden from normal user views). This one is dicey, so I
use it with more care when there's themes or plugins attached to the
account. If it's just forum posts, then I'm a bit more lenient.
- If they're well known and I trust them. Hey, reputation is
everything in open source.
- If I can find confirmation via browsing the web and finding
references, links, anything that will convince me that I'm not making
a mistake.

Things like that. I tend to be a bit forgiving on this, but careful,
basically. Also, since we're using email, I have a record to fall back
to if I need to reference what changed. So far, it hasn't really been
a problem. Most have either been really obvious or somebody saying
"hey, my email used to be foo at bar.com but now it's foo at barbar.com, can
you change it for me?"...

Only once have I had to tell somebody no, out of, oh, hundreds now.

-Otto


On Thu, Sep 8, 2011 at 10:47 AM,  <ipstenu at ipstenu.org> wrote:
> Her latest post:
> http://wordpress.org/support/topic/i-want-the-emailid-associated-with-account-as-i-have-forgot
>
> Backstory.
>
> She had an id (angelin.nadar -
> http://wordpress.org/support/profile/angelinnadar/ ) with NO posts, and she
> lost the password.  No big, except she also forgot which email address it
> was.  Furthermore, the email address no longer exists (per yahoo, I emailed
> it directly).
>
> So now we have a case where she says "I am this user name, but I can't prove
> it in any way shape or form, because I don't remember the password or the
> email.  But can you reset the password for me anyway?"
>
> And I said "No, that's what we call 'social engineering.'  Tough titties,
> move on."  (I said it nicer!)
>
> Do I think it's her? Probably yes, but with no posts to the name, I can't
> even spot-check the IP to be certain, and the security mole in my heart
> screams in abject hate at the idea of just handing over an ID, when I don't
> know what else it may effect.  I highly doubt there's any risk in this
> particular situatino, but I'm not personally comfortable opening the door.
>  Especially since (1) no posts exists for the old account, (2) she has one
> (unanswered) topic with the new one and (3) merging accounts involves buying
> Otto a home brewery set at this rate.
>
> Am I being too knee-jerky paranoid about security?  (I swear, Nacin, I took
> the tin foil out of my hat today!)
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums
>

More information about the wp-forums mailing list