No more Bugzilla for me

Ray Van Dolson rayvd at bludgeon.org
Wed Apr 22 07:06:43 UTC 2009


On Wed, Apr 22, 2009 at 08:58:27AM +0200, Ralf Corsepius wrote:
> Jesse Keating wrote:
>> On Wed, 2009-04-22 at 14:31 +1000, Rodd Clarkson wrote:
>>> Ah, I'm a little confused.
>>>
>>> All that was requested was a change of password.  This doesn't stop Joe
>>> Public from signing up and accessing bugzilla, and presumably doesn't
>>> stop Joe from viewing leaky NDA's.
>>>
>>> All it seems to do is make me have to change a password.
>>>
>>> Surely if there are leaks using the old password, then there's still
>>> leaks with my new password (which is actually my old password since I
>>> went back in and changed it back).
>>
>> There is a theory that changing passwords on a regular bases lessens the
>> risk of somebody's password being stolen and used nefariously.
> There are studies, which state to counterprove such statements (Sorry,  
> nor reference at hand).
>
> They claim the key to password security is to use strong passwords,  
> while frequently changing passwords only cause users to reuse the same  
> or variations of the weak passwords they already used elsewhere.

Enforcing frequent unique password changes results in users writing
their passwords down and storing them on their monitors, under their
keyboards, etc :)

That or a frequent need for password resets.

Ray




More information about the fedora-devel-list mailing list