On Wed, May 30, 2012 at 9:41 AM, Fabio M. Di Nitto <fdinitto@xxxxxxxxxx> wrote: > On 5/29/2012 11:45 PM, Andre Robatino wrote: >> Kevin Fenzi <kevin@...> writes: >> >>> I think adding a 'security question(s)' feature would be great. >>> >>> I would strongly suggest however that the questions and answers be free >>> form. There's little security in canned security questions that have >>> answers people can find out. ie, 'What was your high school?' >> >> I just use a password manager and if a site forces me to answer "security" >> questions, I put them in the Notes section using strong random passwords for the >> answers. For example >> >> What was your high school? 48ZGrNaDQR75 >> >> I think the security questions should be optional in any case to save the >> trouble of having to make and store several strong random passwords rather than >> just one. > > Or maybe have primary (company?) email and private email registered. > > Instead of re-inventing a whole new chunk of code by introducing a > security question and all, simple allow 2 emails to be valid at any > given time. Another possibility would be to let 2 people from an "important" group guarantee, that the person requesting access to an account is the proper one. e.g. when you know 2 ambassadors/packager/translator/whatever in person or somewhere else, you can be sure, it's the same one, I don't see a reason to get him/her access to the account again. This is kind of similar to verifying the GPG key given in the account. (hint: "Important" group above means non-cla and non-fedorahosted-git* group for me.) Greetings, Tom _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
