Password resets

Mike Bonnet mikeb at redhat.com
Wed Mar 11 17:49:49 UTC 2009 

Toshio Kuratomi wrote:
> Mike McGrath wrote:
>> So holy crap does the planet hate it when you ask people to reset their
>> passwords.  In particular though, they hated the following:
>>
>> 1. Kittens
>>
>> 2. "Password Expiration" is confusing and does not imply "account
>> expiration".  Some may have ignored the warning because they did not
>> understand what the consequences were.
>>
>> 3. Mail aliases going away.  This one's legit and accounts for the only
>> data loss we actually had.
>>
>> 4. fedorapeople space going away and not coming back automatically.
> 
> Possible implementation here:
> https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1
> 
> 5. Password resets could be introducing less secure passwords.  This
> one's hard for me to quantify.  If you use a strong password the first
> time, what's the likelihood that each reset will bring some number of
> users to use an insecure password?  What's the likelihood of someone
> using an insecure password to use a more secure password next time (?
> 
> This can be partially mitigated by using a password strength checker but
> it was pointed out to me that a strength checker 1) doesn't catch things
> like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
> as devious as someone trying to crack passwords.
> 
> #2 is a bug in the strength checker but we're likely to have to
> continuously work on the upstream software in order to keep things
> secure.  Without the reward of knowing how much security we're gaining.
> 
> #1... I don't have a solution for.
> 
>> I'm going to disable password reset/account expiration until at least 3 of
>> the 4 above are done.
>>
>> Please hate me a little less now.  Thoughts?
>>
> Would not doing a password expiration but just an account expiration be
> okay?  I think that we can cover a pretty broad swathe of contributors
> with something that ties into people logging into fas (because we use
> json to log people in to web services including the wiki and they need
> to login to get a certificate to use koji/lookaside).  We'd just have to
> expire accounts on a longer interval than the ssl certs... like 6 months
> for certs and 7 months for accounts.

+1

Even if they were required to log in to the FAS web UI as an indication
that their account was still active, I think that would be preferable to
forced password resets.

> Thoughts on implementing alternate means of checking activity here:
> https://fedorahosted.org/fedora-infrastructure/ticket/1237

More information about the infrastructure mailing list