Toshio Kuratomi wrote: > Mike McGrath wrote: >> So holy crap does the planet hate it when you ask people to reset their >> passwords. In particular though, they hated the following: >> >> 1. Kittens >> >> 2. "Password Expiration" is confusing and does not imply "account >> expiration". Some may have ignored the warning because they did not >> understand what the consequences were. >> >> 3. Mail aliases going away. This one's legit and accounts for the only >> data loss we actually had. >> >> 4. fedorapeople space going away and not coming back automatically. > > Possible implementation here: > https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1 > > 5. Password resets could be introducing less secure passwords. This > one's hard for me to quantify. If you use a strong password the first > time, what's the likelihood that each reset will bring some number of > users to use an insecure password? What's the likelihood of someone > using an insecure password to use a more secure password next time (? > > This can be partially mitigated by using a password strength checker but > it was pointed out to me that a strength checker 1) doesn't catch things > like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't > as devious as someone trying to crack passwords. > > #2 is a bug in the strength checker but we're likely to have to > continuously work on the upstream software in order to keep things > secure. Without the reward of knowing how much security we're gaining. > > #1... I don't have a solution for. > >> I'm going to disable password reset/account expiration until at least 3 of >> the 4 above are done. >> >> Please hate me a little less now. Thoughts? >> > Would not doing a password expiration but just an account expiration be > okay? I think that we can cover a pretty broad swathe of contributors > with something that ties into people logging into fas (because we use > json to log people in to web services including the wiki and they need > to login to get a certificate to use koji/lookaside). We'd just have to > expire accounts on a longer interval than the ssl certs... like 6 months > for certs and 7 months for accounts. +1 Even if they were required to log in to the FAS web UI as an indication that their account was still active, I think that would be preferable to forced password resets. > Thoughts on implementing alternate means of checking activity here: > https://fedorahosted.org/fedora-infrastructure/ticket/1237 _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
