Fedora Account Change

Fabio M. Di Nitto fdinitto at redhat.com
Fri Jun 1 17:35:21 UTC 2012 

On 5/30/2012 1:37 PM, Chris Dix wrote:
> Fabio,
> 
> If you implement a password recovery feature, that would email the new
> password to the user. That does no good if they don't have access to
> their email account.
> 
> We probably do want an alternate email that can be used for these
> situations.

I don´t think we understood each other :)

I am suggesting that every user in fas has 2 emails registered, one
primary one backup. Both active at the same time. If you lose access to
one email and password to fas, you still have one backup email address
that is recognized for password recovery.

<sarcasm>
If the user can manage to lose password, and access to 2 emails at the
same time, I am not entirely sure I´d want his packages to be installed
on my system.
</sarcasm>

The point being that there is already all the code there written to
handle one email address, and it would be enough to make it understand
backup address vs rewriting a whole new chunk of code for security
questions, store them, hash answers, crypt the db... etc.

Fabio

> 
> Chris
> 
> On May 30, 2012 3:41 AM, "Fabio M. Di Nitto" <fdinitto at redhat.com
> <mailto:fdinitto at redhat.com>> wrote:
> 
>     On 5/29/2012 11:45 PM, Andre Robatino wrote:
>     > Kevin Fenzi <kevin at ...> writes:
>     >
>     >> I think adding a 'security question(s)' feature would be great.
>     >>
>     >> I would strongly suggest however that the questions and answers
>     be free
>     >> form. There's little security in canned security questions that have
>     >> answers people can find out. ie, 'What was your high school?'
>     >
>     > I just use a password manager and if a site forces me to answer
>     "security"
>     > questions, I put them in the Notes section using strong random
>     passwords for the
>     > answers. For example
>     >
>     > What was your high school? 48ZGrNaDQR75
>     >
>     > I think the security questions should be optional in any case to
>     save the
>     > trouble of having to make and store several strong random
>     passwords rather than
>     > just one.
> 
>     Or maybe have primary (company?) email and private email registered.
> 
>     Instead of re-inventing a whole new chunk of code by introducing a
>     security question and all, simple allow 2 emails to be valid at any
>     given time.
> 
>     Fabio
>     _______________________________________________
>     infrastructure mailing list
>     infrastructure at lists.fedoraproject.org
>     <mailto:infrastructure at lists.fedoraproject.org>
>     https://admin.fedoraproject.org/mailman/listinfo/infrastructure
> 
> 
> 
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure

More information about the infrastructure mailing list