Password resets
Toshio Kuratomi
a.badger at gmail.com
Wed Mar 11 18:10:25 UTC 2009
Mike McGrath wrote:
> On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
>> 5. Password resets could be introducing less secure passwords. This
>> one's hard for me to quantify. If you use a strong password the first
>> time, what's the likelihood that each reset will bring some number of
>> users to use an insecure password? What's the likelihood of someone
>> using an insecure password to use a more secure password next time (?
>>
>> This can be partially mitigated by using a password strength checker but
>> it was pointed out to me that a strength checker 1) doesn't catch things
>> like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
>> as devious as someone trying to crack passwords.
>>
>> #2 is a bug in the strength checker but we're likely to have to
>> continuously work on the upstream software in order to keep things
>> secure. Without the reward of knowing how much security we're gaining.
>>
>> #1... I don't have a solution for.
>>
>
> I'd think http://www.nongnu.org/python-crack/ is a good start.
>
This addresses #2. But doesn't address #1. If my password is
2005-03-11HutchinsonSnoopy a password strength checker isn't going to
find that an especially weak password but a cracker that's researching
their targets has a decent chance of figuring it out.
>> Would not doing a password expiration but just an account expiration be
>> okay? I think that we can cover a pretty broad swathe of contributors
>> with something that ties into people logging into fas (because we use
>> json to log people in to web services including the wiki and they need
>> to login to get a certificate to use koji/lookaside). We'd just have to
>> expire accounts on a longer interval than the ssl certs... like 6 months
>> for certs and 7 months for accounts.
>>
>> Thoughts on implementing alternate means of checking activity here:
>> https://fedorahosted.org/fedora-infrastructure/ticket/1237
>>
>
> I think we shouldn't go too far out of our way for people that can't
> follow directions. Harsh? Yes, but what we asked of people was
> incredibly trivial. I'd be fine with asking people to log in but I'd
> think we'll find lots of people find that confusing. Logging in and
> setting your password is a task that has a clear begining and end. I can
> see people logging in expecting to see further directions and then asking
> "now what"?
>
> We've just got so much else to do I'd hate to spend a lot of time and
> effort to please a few people that can't spend less then a minute a year
> (15 seconds every 2 months) to log in and type their password a couple of
> times and the people that complained couldn't do that.
>
This isn't too hard to do, though. On the data saving side, we just
need fas to record the current timestamp in lastseen whenever someone
logs into fas.
On the expiry side, we need to check the lastseen date instead of the
password_change date.
So it's just explaining to people how to show they're still active....
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090311/cad53ee4/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list