Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Adam Williamson awilliam at redhat.com
Wed Oct 12 17:51:34 UTC 2011


On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
> On 12 October 2011 17:44, Kevin Fenzi <kevin at scrye.com> wrote:
> > All existing users of the Fedora Account System (FAS) at
> > https://admin.fedoraproject.org/accounts are required to change their
> > password and upload a NEW ssh public key before 2011-11-30.
> 
> I have to upload a *new* public key? Why should I have two sets of keys?

Meant 'replacement'. You can only have one key in FAS, afaict.

> > * Nine or more characters with lower and upper case letters, digits and
> >  punctuation marks.
> > * Ten or more characters with lower and upper case letters and digits.
> > * Twelve or more characters with lower case letters and digits
> > * Twenty or more characters with all lower case letters.
> 
> This is just insane. My existing password is 8 digits and
> alphanumeric, and given that I have to enter it over and over again
> (and prove "I'm human", another WTF) when creating updates I'm really
> wondering if I want to bother.
> 
> Talk about putting up barriers.

I can think of no reason why everyone shouldn't use a password manager.
It's just hands down a better way to do things in every respect. Eight
characters alphanumeric is not actually a very strong password; the
numbers on how long it'd take to brute force with e.g. EC2 are quite
tiny. And an account like yours certainly counts as high-value.

This is clearly not a theoretical threat: kernel.org _was compromised_.
mysql _was compromised_. winehq _was compromised_. There are actual
real-world attackers out there right now going after open source project
systems, precisely using attacks on weak and shared credentials. This is
not some stupid 'best practice' thing, this is a practical attempt to
prevent us falling victim to specific and very obviously real threats.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net



More information about the devel mailing list