On 5/30/2012 1:37 PM, Chris Dix wrote: > Fabio, > > If you implement a password recovery feature, that would email the new > password to the user. That does no good if they don't have access to > their email account. > > We probably do want an alternate email that can be used for these > situations. I don´t think we understood each other :) I am suggesting that every user in fas has 2 emails registered, one primary one backup. Both active at the same time. If you lose access to one email and password to fas, you still have one backup email address that is recognized for password recovery. <sarcasm> If the user can manage to lose password, and access to 2 emails at the same time, I am not entirely sure I´d want his packages to be installed on my system. </sarcasm> The point being that there is already all the code there written to handle one email address, and it would be enough to make it understand backup address vs rewriting a whole new chunk of code for security questions, store them, hash answers, crypt the db... etc. Fabio > > Chris > > On May 30, 2012 3:41 AM, "Fabio M. Di Nitto" <fdinitto@xxxxxxxxxx > <mailto:fdinitto@xxxxxxxxxx>> wrote: > > On 5/29/2012 11:45 PM, Andre Robatino wrote: > > Kevin Fenzi <kevin@...> writes: > > > >> I think adding a 'security question(s)' feature would be great. > >> > >> I would strongly suggest however that the questions and answers > be free > >> form. There's little security in canned security questions that have > >> answers people can find out. ie, 'What was your high school?' > > > > I just use a password manager and if a site forces me to answer > "security" > > questions, I put them in the Notes section using strong random > passwords for the > > answers. For example > > > > What was your high school? 48ZGrNaDQR75 > > > > I think the security questions should be optional in any case to > save the > > trouble of having to make and store several strong random > passwords rather than > > just one. > > Or maybe have primary (company?) email and private email registered. > > Instead of re-inventing a whole new chunk of code by introducing a > security question and all, simple allow 2 emails to be valid at any > given time. > > Fabio > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:infrastructure@xxxxxxxxxxxxxxxxxxxxxxx> > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > > > > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
