[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Password resets



Mike McGrath wrote:
> So holy crap does the planet hate it when you ask people to reset their
> passwords.  In particular though, they hated the following:
> 
> 1. Kittens
> 
> 2. "Password Expiration" is confusing and does not imply "account
> expiration".  Some may have ignored the warning because they did not
> understand what the consequences were.
> 
> 3. Mail aliases going away.  This one's legit and accounts for the only
> data loss we actually had.
> 
> 4. fedorapeople space going away and not coming back automatically.

Possible implementation here:
https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1

> 
5. Password resets could be introducing less secure passwords.  This
one's hard for me to quantify.  If you use a strong password the first
time, what's the likelihood that each reset will bring some number of
users to use an insecure password?  What's the likelihood of someone
using an insecure password to use a more secure password next time (?

This can be partially mitigated by using a password strength checker but
it was pointed out to me that a strength checker 1) doesn't catch things
like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
as devious as someone trying to crack passwords.

#2 is a bug in the strength checker but we're likely to have to
continuously work on the upstream software in order to keep things
secure.  Without the reward of knowing how much security we're gaining.

#1... I don't have a solution for.

> 
> I'm going to disable password reset/account expiration until at least 3 of
> the 4 above are done.
> 
> Please hate me a little less now.  Thoughts?
> 
Would not doing a password expiration but just an account expiration be
okay?  I think that we can cover a pretty broad swathe of contributors
with something that ties into people logging into fas (because we use
json to log people in to web services including the wiki and they need
to login to get a certificate to use koji/lookaside).  We'd just have to
expire accounts on a longer interval than the ssl certs... like 6 months
for certs and 7 months for accounts.

Thoughts on implementing alternate means of checking activity here:
https://fedorahosted.org/fedora-infrastructure/ticket/1237

-Toshio

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]