Normalizing user emails

April 10, 2007

We just normalized our user database and forms so that all emails are compared as lowercase. That means that Trac permissions and authentication will be case insensitive.

This makes things much easier and a bit less confusing. However, we were not able to get Apache’s authentication for Subversion to authenticate while ignoring case, which means for now you’ll be required to use lowercase emails when authenticating for Subversion. For most people this should be a non-issue since most emails aren’t mixed case, but for the rest of you, we hope this doesn’t inconvenience you too much. We may be asking you to break habit, but at the same time it’s less keys to press. ; )

If it becomes that big of an issue, we can start hacking Apache modules. But we’d rather focus on more important issues in this infrastructure phase, like migrating all your data to a replicated PostgreSQL database and getting Trac off CGI onto tracd clusters.


4 Responses to “Normalizing user emails”

  1. How about making sure the email addresses aren’t exposed directly? I recently registered for a DejaVu project, and was surprised to see email addresses in clear text when I filed a bug on a project.

    And pet peeve #2, why isn’t there a Trac instance for the DejaVu project itself so I can file bugs instead of submitting them in blog comments? ;)

    Great initiative, btw — the world needs something a bit more sane than Sourceforge.

  2. Jeff Lindsay Says:

    There is a Trac for submitting DevjaVu tickets. It’s just not easy to get to. I want to have a different UI for bugs eventually, but here it is for now:

    I’d love to hear solutions to the email problem. One idea is to have localized user aliases, but that might not apply for anonymous users that submit tickets. What would you prefer? We already obfuscate from bots in the code, so it’s just a matter of privacy, right?

    Feel free to email us for a longer discussion or check out the forums.

  3. John Hoffoss Says:

    Suggestion: Perhaps add hosted PunBB to the app suite? Or a prettier, fancy Ruby BB or something.

    email addresses should be normalized to lower-case. It’s been a long time since I’ve ever seen anyone who did not receive an email because their address was in the wrong case. For display name, you could allow the user to set an alias, but still require login via email address.

    For passwords, you should *never* normalize a password. Doing so essentially makes a password ~50% easier for a bad-guy to guess. And if you’re not, you should store passwords encrypted hashed (i.e. SHA256, MD5) rather than plain-text. Then your authentication scheme hashes the credentials supplied and compares to that stored in the user account.

  4. Jeff Lindsay Says:

    Actually I run (but don’t maintain) JellyBB, which is a hosted PunBB service. DevjaVu could benefit from an integrated communication solution, but I’m not sure what the best solution is in this case, so I don’t want to jump to anything just yet. For now, Google Groups acts pretty good as both a mailing list and a forum (using it via the web).

    Yeah, with the emails I’m not sure what happened. I though we were normalizing emails until fairly recently when a lot of people were having issues trying to login with a lowercase email after registering a mixed case email. But you’re right, emails should be normalized, so I’m glad we’re finally doing it. :P

    For passwords, what’s better than hashing is hashing with a salt. But we would never think to normalize passwords. ; )

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: