On 01/06/12 18:35, Fabio M. Di Nitto wrote: > On 5/30/2012 1:37 PM, Chris Dix wrote: >> Fabio, >> >> If you implement a password recovery feature, that would email the new >> password to the user. That does no good if they don't have access to >> their email account. >> >> We probably do want an alternate email that can be used for these >> situations. > > I don´t think we understood each other :) > > I am suggesting that every user in fas has 2 emails registered, one > primary one backup. Both active at the same time. If you lose access to > one email and password to fas, you still have one backup email address > that is recognized for password recovery. > > <sarcasm> > If the user can manage to lose password, and access to 2 emails at the > same time, I am not entirely sure I´d want his packages to be installed > on my system. > </sarcasm> > > The point being that there is already all the code there written to > handle one email address, and it would be enough to make it understand > backup address vs rewriting a whole new chunk of code for security > questions, store them, hash answers, crypt the db... etc. > > Fabio > >> >> Chris >> >> On May 30, 2012 3:41 AM, "Fabio M. Di Nitto" <fdinitto@xxxxxxxxxx >> <mailto:fdinitto@xxxxxxxxxx>> wrote: >> >> On 5/29/2012 11:45 PM, Andre Robatino wrote: >> > Kevin Fenzi <kevin@...> writes: >> > >> >> I think adding a 'security question(s)' feature would be great. >> >> >> >> I would strongly suggest however that the questions and answers >> be free >> >> form. There's little security in canned security questions that have >> >> answers people can find out. ie, 'What was your high school?' >> > >> > I just use a password manager and if a site forces me to answer >> "security" >> > questions, I put them in the Notes section using strong random >> passwords for the >> > answers. For example >> > >> > What was your high school? 48ZGrNaDQR75 >> > >> > I think the security questions should be optional in any case to >> save the >> > trouble of having to make and store several strong random >> passwords rather than >> > just one. >> >> Or maybe have primary (company?) email and private email registered. >> >> Instead of re-inventing a whole new chunk of code by introducing a >> security question and all, simple allow 2 emails to be valid at any >> given time. >> >> Fabio >> _______________________________________________ >> infrastructure mailing list >> infrastructure@xxxxxxxxxxxxxxxxxxxxxxx >> <mailto:infrastructure@xxxxxxxxxxxxxxxxxxxxxxx> >> https://admin.fedoraproject.org/mailman/listinfo/infrastructure >> >> >> >> _______________________________________________ >> infrastructure mailing list >> infrastructure@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/infrastructure > > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure If a user maintains packages, he will know how to use a public key ;-p. And as such know gnupg and how to sign emails with his private key. People should just remember to put in their public keys. The only reason why I was so vocal about the user asking about a change was, that he is a former red hat employee and as such should receive a common courtesy of going the extra mile. As long as he contacts his supervisor/manger/HR person who can verify that he is who he claims to be. With other people this would be harder. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
