Mike McGrath wrote: > So holy crap does the planet hate it when you ask people to reset their > passwords. In particular though, they hated the following: > > 1. Kittens > > 2. "Password Expiration" is confusing and does not imply "account > expiration". Some may have ignored the warning because they did not > understand what the consequences were. > > 3. Mail aliases going away. This one's legit and accounts for the only > data loss we actually had. > > 4. fedorapeople space going away and not coming back automatically. Possible implementation here: https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1 > 5. Password resets could be introducing less secure passwords. This one's hard for me to quantify. If you use a strong password the first time, what's the likelihood that each reset will bring some number of users to use an insecure password? What's the likelihood of someone using an insecure password to use a more secure password next time (? This can be partially mitigated by using a password strength checker but it was pointed out to me that a strength checker 1) doesn't catch things like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't as devious as someone trying to crack passwords. #2 is a bug in the strength checker but we're likely to have to continuously work on the upstream software in order to keep things secure. Without the reward of knowing how much security we're gaining. #1... I don't have a solution for. > > I'm going to disable password reset/account expiration until at least 3 of > the 4 above are done. > > Please hate me a little less now. Thoughts? > Would not doing a password expiration but just an account expiration be okay? I think that we can cover a pretty broad swathe of contributors with something that ties into people logging into fas (because we use json to log people in to web services including the wiki and they need to login to get a certificate to use koji/lookaside). We'd just have to expire accounts on a longer interval than the ssl certs... like 6 months for certs and 7 months for accounts. Thoughts on implementing alternate means of checking activity here: https://fedorahosted.org/fedora-infrastructure/ticket/1237 -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
