On Wed, Apr 22, 2009 at 12:48:48PM -0400, Felix Miata wrote: > On 2009/04/22 08:35 (GMT-0700) Adam Williamson composed: > > > The point is that some Bugzilla accounts have access to such sensitive > > information, thus we need to have a reasonably strong security policy > > for Bugzilla accounts. > > I don't understand. AFAIK, anyone who asks can receive an account. As a > consequence, the only real point of a password on an ordinary account is to > ensure a particular account remains associated with and used by only one person. > > OTOH, sensitive information needs protection from anyone in a position to > divulge without potential for recompense. Thus access to protected > information should be limited to non-ordinary accounts, and only those > non-ordinary accounts should need more than nominal security, if any security > at all. > > What am I missing? I think the point is that some accounts are more privileged than others. Should these accounts have their passwords compromised, more sensitive information could potentially be released. Likely the password change requirements are a "due dilligence" thing that lets the suits say "see we have such and such in place" and decrease their liability should someone's account be compromised. Of course, as has been mentioned, requiring these types of frequent password changes has questional returns in security value... Ray -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
