V Wed, Sep 07, 2022 at 08:53:15AM -0400, Stephen Smoogen napsal(a): > On Wed, 7 Sept 2022 at 08:27, Petr Pisar <ppisar@xxxxxxxxxx> wrote: > > Shouldn't we instead start with strengthening the credentials reset even > > for password-only authentication? I.e. disallowing the reset. Or enabling > > having multiple passwords. > > > > > Maybe. What work do you not want done in Fedora for the next couple of years > to do this. There are a lot of 'OMG we need this' initiatives and very few > volunteers who have the skill level to help anymore. > > That said, having multiple passwords without additional tokens attached is > a security nightmare. I have dealt with 6 systems which had them because > people thought it would cut down work and it either ramped up work or ended > up with security compromises which were horrible. Disallowing resets end up > requiring about 2-3 people whose main job every couple of minutes is to go > through some form to try and confirm a person is who they are and then reset > manually. You are welcome to take that over as your full time job. > My idea of disallowing reset is no reset. That does not mean somobody will manually reset records in a database. It means no way. It means new account, a different login name and repeating the onboarding process (becoming a packager, nonresponsive process for the old account, overtaking orphaned packages). -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
