The password change is understandable, but why force an SSH key change with such short notice? And what if the SSH key is a hard token (smartcard) which can not be copied or trivially changed? Switching to a soft key would be mostly counter-productive from a security point of view. Now I were not currently using my hard token smartcard key for Fedora for other reasons but I would had been quite annoyed by this change requirement if I were. And why is so much of the Fedora inftrastructure relying on plain text password exchanges (within SSL, but still plain text at the Fedora servers) when there is both HTTP digest authentication (no plaintext seen by Fedora servers) and SSL certificates and SSH keys which all three serves a much better identification method? And you forgot the one most important DON'T in the list. Never use the same password for two different systems. Do not use the same password for Fedora account as you use for Hotmal / GMail / At Work / Facebook / Whatever. But even then, the security of Fedora accounts is no stronger than the security of the email associated with an account. Quite pointless to try to bolster the security very high when all that is needed to take over a standard Fedora account is to have access to the email (account or traffic) of the Fedora account. Sure, a full account takeover is more likely to get noticed than a stolen password, but it still sets the level of expected security. Regards Henrik -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
