Re: Fedora Account Migration & Production Deployment Update: COMPLETE!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Mar 27, 2021 at 11:02:58PM +0100, Björn Persson wrote:
> Kevin Fenzi wrote:
> > I'd like us to add security query/respond pairs. 
> 
> Those can very easily weaken security, as the answers are often public
> and easy for an attacker to look up, especially when there are only a
> few predefined questions to choose from.

I was not advocating predefined questions. :) 
 
> If I can enter my own question, then I can come up with some things
> that only I and my family know. That requires careful and security-
> conscious consideration. Many people would come up with insecure
> questions.

Well, I always use randomly generated words for mine. 
But I agree, some people would make poor choices there. 

> There's a limited supply of such personal secrets that I can be sure
> I'll remember, so I can't do that for too many sites. It also requires
> a not too public life. People who publish their entire lives on
> Facebook will have trouble coming up with a question that an attacker
> can't find the answer to.

Another reason to randomly generate. 

> Otherwise I'll make up a nonsensical phrase to enter as the answer, and
> store it securely. That turns the "security question" into a backup
> passphrase. If you want people to do this, then it's better to ask them
> to make up a passphrase.

Sure, that might be better, although I still like that it's a manual
process. ie, they have to tell it to an admin and the admin has to make
sure everything looks right, etc. 

But in the end there's lots of ways to do all this, but one good reason
we wanted to get off running our own account system was to not have to
deal with this so much. So, really I think we should work to improve /
land any changes we want here in IPA itself. Then everyone can benifit
from it, and the IPA team that has a lot more security experence than I
can do the right thing implementing it. :) 

Of course IPA has focused on the corp setting and this is kind of an
expansion of their area, so we will need to discuss things with them I
think.

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux