On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote: > On 12 October 2011 17:44, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > All existing users of the Fedora Account System (FAS) at > > https://admin.fedoraproject.org/accounts are required to change their > > password and upload a NEW ssh public key before 2011-11-30. > > I have to upload a *new* public key? Why should I have two sets of keys? Meant 'replacement'. You can only have one key in FAS, afaict. > > * Nine or more characters with lower and upper case letters, digits and > > punctuation marks. > > * Ten or more characters with lower and upper case letters and digits. > > * Twelve or more characters with lower case letters and digits > > * Twenty or more characters with all lower case letters. > > This is just insane. My existing password is 8 digits and > alphanumeric, and given that I have to enter it over and over again > (and prove "I'm human", another WTF) when creating updates I'm really > wondering if I want to bother. > > Talk about putting up barriers. I can think of no reason why everyone shouldn't use a password manager. It's just hands down a better way to do things in every respect. Eight characters alphanumeric is not actually a very strong password; the numbers on how long it'd take to brute force with e.g. EC2 are quite tiny. And an account like yours certainly counts as high-value. This is clearly not a theoretical threat: kernel.org _was compromised_. mysql _was compromised_. winehq _was compromised_. There are actual real-world attackers out there right now going after open source project systems, precisely using attacks on weak and shared credentials. This is not some stupid 'best practice' thing, this is a practical attempt to prevent us falling victim to specific and very obviously real threats. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
