On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
>
5. Password resets could be introducing less secure passwords. This
one's hard for me to quantify. If you use a strong password the first
time, what's the likelihood that each reset will bring some number of
users to use an insecure password? What's the likelihood of someone
using an insecure password to use a more secure password next time (?
This can be partially mitigated by using a password strength checker but
it was pointed out to me that a strength checker 1) doesn't catch things
like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
as devious as someone trying to crack passwords.
#2 is a bug in the strength checker but we're likely to have to
continuously work on the upstream software in order to keep things
secure. Without the reward of knowing how much security we're gaining.
#1... I don't have a solution for.
I'd think
http://www.nongnu.org/python-crack/ is a good start.
Would not doing a password expiration but just an account expiration be
okay? I think that we can cover a pretty broad swathe of contributors
with something that ties into people logging into fas (because we use
json to log people in to web services including the wiki and they need
to login to get a certificate to use koji/lookaside). We'd just have to
expire accounts on a longer interval than the ssl certs... like 6 months
for certs and 7 months for accounts.
Thoughts on implementing alternate means of checking activity here:
https://fedorahosted.org/fedora-infrastructure/ticket/1237
I think we shouldn't go too far out of our way for people that can't
follow directions. Harsh? Yes, but what we asked of people was
incredibly trivial. I'd be fine with asking people to log in but I'd
think we'll find lots of people find that confusing. Logging in and
setting your password is a task that has a clear begining and end. I can
see people logging in expecting to see further directions and then asking
"now what"?
We've just got so much else to do I'd hate to spend a lot of time and
effort to please a few people that can't spend less then a minute a year
(15 seconds every 2 months) to log in and type their password a couple of
times and the people that complained couldn't do that.
If someone has time to implement some grand scheme, that's fine. I know I
don't. The changes suggested about aliases and home dirs are good ones.
-Mike