Next Revision Unit Web Sites Wish List

Share discussions around the Classic Local Unit Website (LUWS).
Locked
User avatar
thedqs
Community Moderators
Posts: 1042
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

#41

Post by thedqs »

I do not know if it has happened already but it is completely possible. A problem is trying to get a way that works for both the user and the church. If LUWS uses a "Security Question" that would be better although some people will forget even the security question answers and then who has to reset the account? Can we just allow the local admin or do we have to call up the church, and then how do they confirm the user is who they say they are?
- David
User avatar
dobrichelovek
Member
Posts: 98
Joined: Thu Oct 11, 2007 3:35 pm
Location: Utah, USA

Account reset.

#42

Post by dobrichelovek »

The current design is that the local admin can only see the username, but NEVER touches the password. I really like this. If a password is forgotten, the USER must use the required information to reset the account. What my proposal would require would be a third piece of dynamic information (automagically generated somewhere that is linked to the same server that does the authorization) that would be needed to reset the account in the case of an account that had been abused by someone that has access to the stale information. The new information would only be available by going to the priesthood leadership in the unit so that the individual could then reset her account and the rogue individual could not. The rogue individual would not have access to the 'new' password or the required information to reset the account.
User avatar
thedqs
Community Moderators
Posts: 1042
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

#43

Post by thedqs »

So the dynamic information would have to be pulled off of MLS and then the local priesthood leader would have to get the information off of MLS to give to the member so that the member could reset his/her account?

Seems like a lot of extra work for both the member and the local priesthood leader without much benefit in return for the member (I only use the site as a membership directory since there isn't much else on the site).

I am just wondering if this would cause more people to migrate away from the site instead of to the site like we wanted to.
- David
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#44

Post by russellhltn »

dobrichelovek wrote:Has anyone had this problem already?
Not that I've heard of, but I can see the issue. Once you have the information, you have the information. The only work around I can think of at this time is to have CHQ change the user's ID. Once the perp doesn't know or can guess what the new ID is, they are unable to do anything more. They would have to social engineer the information from an admin to get anywhere.
User avatar
thedqs
Community Moderators
Posts: 1042
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

#45

Post by thedqs »

RussellHltn wrote:They would have to social engineer the information from an admin to get anywhere.

Unfortunately this is really easy to do in today's world.
- David
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#46

Post by russellhltn »

thedqs wrote:Unfortunately this is really easy to do in today's world.
Yes, but hopefully once it's reached a point that the user ID was changed, the admins would have been briefed on the situation if they haven't already been involved. Typically this would be 2 admins at stake level and 2 at the ward level. So I think that's an easy loophole to fix - just communicate. ;)
User avatar
dobrichelovek
Member
Posts: 98
Joined: Thu Oct 11, 2007 3:35 pm
Location: Utah, USA

#47

Post by dobrichelovek »

thedqs wrote:So the dynamic information would have to be pulled off of MLS and then the local priesthood leader would have to get the information off of MLS to give to the member so that the member could reset his/her account?

Seems like a lot of extra work for both the member and the local priesthood leader without much benefit in return for the member (I only use the site as a membership directory since there isn't much else on the site).

I am just wondering if this would cause more people to migrate away from the site instead of to the site like we wanted to.

I understand your concern, but I wasn't suggesting that it be for everyone, just those who have a concern that someone malicious has the two unchangeable pieces of information that allow you to access an account. In general, this is a problem that we are using these two pieces of information assuming that they are secure pieces of information, but that is where we are. This 'fix' could protect those that can't keep that malicious person from using the information that has already been given without causing added problems for the majority of other users with nice relatives that won't abuse the data they have in their records.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#48

Post by russellhltn »

dobrichelovek wrote:This 'fix' could protect those that can't keep that malicious person from using the information that has already been given without causing added problems for the majority of other users with nice relatives that won't abuse the data they have in their records.
What is the likelihood of that? A temple recommend is the only source of information I can think of where a relative might have the number. I'm having a hard time coming up with a likely scenario of someone having access to the information, the knowledge to use it, and the desire to create a problem using the information. Not impossible, but not likely enough to happen in any sizable number. And changing the User ID will stop that.
User avatar
thedqs
Community Moderators
Posts: 1042
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

#49

Post by thedqs »

RussellHltn wrote:What is the likelihood of that? A temple recommend is the only source of information I can think of where a relative might have the number. I'm having a hard time coming up with a likely scenario of someone having access to the information, the knowledge to use it, and the desire to create a problem using the information. Not impossible, but not likely enough to happen in any sizable number. And changing the User ID will stop that.

Temple Recommends, copies of membership information (usually thrown away by the member after tithing settlement), copies of the MLS Database kept on a floppy or jump drive (use to more prevalent in the days of floppies) or a few places that I can think of. As for the confirmation date that can only be accessed with the last 2 pieces of documentation.

As for the likelihood I don't see any reason that someone would want to get access except for directed spam.
- David
User avatar
hpaulsen
Member
Posts: 112
Joined: Fri Mar 09, 2007 12:53 pm
Location: Barstow, CA
Contact:

#50

Post by hpaulsen »

Back to the original topic of this thread, I have a LUWS wish.

I'd like to have a place where I can post confidential information for certain groups such as meeting minutes for the stake PEC (High Council). Currently, I create password-protected pdf files but cannot email them because several of our members are on military email accounts, which block encrypted files. So my current solution is to place these in an unpublished directory of one of my own websites and send the link in the emails. Although I believe this to be reasonably secure, I am uncomfortable with having potentially sensitive information stored on an external server.
Locked

Return to “Classic Ward & Stake Sites (LUWS)”