On Thu, 5 Sep 2013 12:36:25 -0700 Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > By another idea -- you mean unrelated, correct? If so, I'd think we > might consider just sending email on any failed login attempt, > password or 2fa. > > Successful password and failed 2fa would certainly be something to > highlight more to the user, though -- > > "If you did not attempt this failed login, you should consider your > Fedora Account System Password Compromised. Please change it in the > Account System and any other systems that you might be using it > (contrary to best practices)" I'd prefer to avoid email on failed password unless we had some rate limiting. Otherwise it's a way to allow anyone to DOS your email box. Also, if we send email to users we should point them to a wiki page/faq about what to do or who to contact. Otherwise they will get confused. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
