Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi <kevin(a)scrye.com> wrote:
> All existing users of the Fedora Account System (FAS) at
> https://admin.fedoraproject.org/accounts are required to change their
> password and upload a NEW ssh public key before 2011-11-30.
I have to upload a *new* public key? Why should I have two sets of keys?
Meant 'replacement'. You can only have one key in FAS, afaict.
> * Nine or more characters with lower and upper case letters,
digits and
> punctuation marks.
> * Ten or more characters with lower and upper case letters and digits.
> * Twelve or more characters with lower case letters and digits
> * Twenty or more characters with all lower case letters.
This is just insane. My existing password is 8 digits and
alphanumeric, and given that I have to enter it over and over again
(and prove "I'm human", another WTF) when creating updates I'm really
wondering if I want to bother.
Talk about putting up barriers.
I can think of no reason why everyone shouldn't use a password manager.
It's just hands down a better way to do things in every respect. Eight
characters alphanumeric is not actually a very strong password; the
numbers on how long it'd take to brute force with e.g. EC2 are quite
tiny. And an account like yours certainly counts as high-value.
This is clearly not a theoretical threat: kernel.org _was compromised_.
mysql _was compromised_. winehq _was compromised_. There are actual
real-world attackers out there right now going after open source project
systems, precisely using attacks on weak and shared credentials. This is
not some stupid 'best practice' thing, this is a practical attempt to
prevent us falling victim to specific and very obviously real threats.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net