Password resets

Wed Mar 11 18:43:30 UTC 2009

On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:

> Mike McGrath wrote:
> > On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
> >
> >
> > > Mike McGrath wrote:
> > >
> > > > I think we shouldn't go too far out of our way for people that can't
> > > > follow directions.  Harsh?  Yes, but what we asked of people was
> > > > incredibly trivial.  I'd be fine with asking people to log in but I'd
> > > > think we'll find lots of people find that confusing.  Logging in and
> > > > setting your password is a task that has a clear begining and end.  I
> > > > can
> > > > see people logging in expecting to see further directions and then
> > > > asking
> > > > "now what"?
> > > >
> > > >
> > > Why tell them at all? If you change it to 'activity shown on account'
> > > (which,
> > > IMNSHO, is
> > >
> >
> > NSHO?  who are you?
> >
>
> *Sigh*...
>
> I did not really wish to reveal this, in public, however, since you asked...
>
> I'm a former blackhat hacker, whom the government has banned from working ANY
> security and/or government job.
>
> Suffice it to say, I understand security (or lack thereof) better than most,
> though I may be rusty/out of date in some areas.
>
> I do not tell you this to brag, I actually regret my past more and more as I
> get older.
> My 'prior life' has bought me more pain than glory.
>

I discovered long ago there's no glory in what we do.  Gotta fight the
good fight just because it's there.

> > > the proper way)... the only reason for having people login will be
> > > immediately
> > > obvious via
> > > a properly worded email (ie., "Due to inactivity on your FAS account, your
> > > account will be
> > > terminated in 1 month, unless the following steps are taken...").
> > >
> > >
> >
> > The only common point of entry for all of our services is the account
> > system and people rarely use it without being asked to so we'll still have
> > to do some emailing.
> >
> >
>
> Aren't pkgdb, koji, bodhi and other services all apart of FAS?
> If I'm right here... then I suspect people are logging into FAS more often
> than you believe.
>

Not all of them auth in the same way unfortunately and it's not as quick
of a fix as it sounds like.

> > > > We've just got so much else to do I'd hate to spend a lot of time and
> > > > effort to please a few people that can't spend less then a minute a year
> > > > (15 seconds every 2 months) to log in and type their password a couple
> > > > of
> > > > times and the people that complained couldn't do that.
> > > >
> > > >
> > > Many fail to realize that the same password they used before could be used
> > > again.
> > > Hence the complaints.
> > >
> >
> > Ehh, no.  Almost no one has complained that they actually had to change
> > their password to something else.  And you can be damn sure I'll spell
> > that out explicitly in the next email so everyone gets it.
> >
> > 	-Mike
> >
>
> As Toshio has already brought up on this list (after I brought it to his
> attention)... people
> have a tendency to select progressively weaker passwords every time they are
> forced to change one.
>
> So your idea of 'security' is actually INTRODUCING more holes than it's
> plugging.
>

It's not my idea of security, it's my idea of a task.  I just want some
concrete thing that has a begining, middle, and end for people to do so we
can prune accounts.  Logging in and typing your password a couple of time
(and keeping it the same thing).  Doesn't sound like it's introducing or
removing any holes.

Sorry to hear you won't be discussing it further.

	-Mike