FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 03-11-2009, 12:41 AM
Mike McGrath
 
Default Password resets

So holy crap does the planet hate it when you ask people to reset their
passwords. In particular though, they hated the following:

1. Kittens

2. "Password Expiration" is confusing and does not imply "account
expiration". Some may have ignored the warning because they did not
understand what the consequences were.

3. Mail aliases going away. This one's legit and accounts for the only
data loss we actually had.

4. fedorapeople space going away and not coming back automatically.

[1] requires the killing of all kittens

[2] just requires a better email to go out, possibly with a link to a wiki
page. It'd be good for this to be translated.

[3] requires another "account" type or at least fasClient to be smart
enough to know how old the 'inactive' account is. I'd suggest a month or
so.

[4] requires us to restore whatever is in
/home/fedora.bak/$username.$timestamp at the time the account becomes
active again. We won't leave $username.fedorapeople.org up for security /
liability reasons. But we will make it transparent to the user that it
looks like their stuff never went away.

I'm going to disable password reset/account expiration until at least 3 of
the 4 above are done.

Please hate me a little less now. Thoughts?

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 02:53 AM
Ian Weller
 
Default Password resets

On Tue, Mar 10, 2009 at 08:41:33PM -0500, Mike McGrath wrote:
> So holy crap does the planet hate it when you ask people to reset their
> passwords. In particular though, they hated the following:
>
> 1. Kittens
>
> 2. "Password Expiration" is confusing and does not imply "account
> expiration". Some may have ignored the warning because they did not
> understand what the consequences were.
>
> 3. Mail aliases going away. This one's legit and accounts for the only
> data loss we actually had.
>
> 4. fedorapeople space going away and not coming back automatically.
>
> [1] requires the killing of all kittens
>
> [2] just requires a better email to go out, possibly with a link to a wiki
> page. It'd be good for this to be translated.
>
> [3] requires another "account" type or at least fasClient to be smart
> enough to know how old the 'inactive' account is. I'd suggest a month or
> so.
>
> [4] requires us to restore whatever is in
> /home/fedora.bak/$username.$timestamp at the time the account becomes
> active again. We won't leave $username.fedorapeople.org up for security /
> liability reasons. But we will make it transparent to the user that it
> looks like their stuff never went away.
>
> I'm going to disable password reset/account expiration until at least 3 of
> the 4 above are done.
>
Well I'm gonna safely assume that we won't kill all the kittens in time
for the next one...

--
Ian Weller <ianweller@gmail.com> http://ianweller.org
GnuPG fingerprint: E51E 0517 7A92 70A2 4226 B050 87ED 7C97 EFA8 4A36
"Technology is a word that describes something that doesn't work yet."
~ Douglas Adams
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 01:01 PM
Stephen John Smoogen
 
Default Password resets

On Tue, Mar 10, 2009 at 7:41 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> So holy crap does the planet hate it when you ask people to reset their
> passwords. *In particular though, they hated the following:
>
> 1. Kittens

Personally I thought people were having kittens for all the 'problems'
occurring. Maybe we should set up an adoption agency? The main thing
with password changes is that a segment of the society does not like
them <PERIOD>. They will quote spafford, etc etc about how its wrong
to change passwords and with some members of our faculty do a virtual
sit-out in protest. In general I hand them some lemons and tell them
to make lemonade. [But that is why I am probably going to see our HR
rep about..]

Normally our policy for accounts is the following:
15 day email saying your account will be locked, and then deleted 15
days after lock.
7 day email saying your account will be locked, and then deleted 15
days after lock.
1 day email saying your account will be locked.
and then
1 day email saying your account is locked and will be deleted in 15 days.
7 day email saying... you get the picture

If a person does not get the message within that time frame... well
that is life. If we are going to schedule these for a precise period
(say first week of March, September (if 180 day timeframe)) a mail can
go out to the list also.

--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 04:09 PM
Toshio Kuratomi
 
Default Password resets

Mike McGrath wrote:
> So holy crap does the planet hate it when you ask people to reset their
> passwords. In particular though, they hated the following:
>
> 1. Kittens
>
> 2. "Password Expiration" is confusing and does not imply "account
> expiration". Some may have ignored the warning because they did not
> understand what the consequences were.
>
> 3. Mail aliases going away. This one's legit and accounts for the only
> data loss we actually had.
>
> 4. fedorapeople space going away and not coming back automatically.

Possible implementation here:
https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1

>
5. Password resets could be introducing less secure passwords. This
one's hard for me to quantify. If you use a strong password the first
time, what's the likelihood that each reset will bring some number of
users to use an insecure password? What's the likelihood of someone
using an insecure password to use a more secure password next time (?

This can be partially mitigated by using a password strength checker but
it was pointed out to me that a strength checker 1) doesn't catch things
like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
as devious as someone trying to crack passwords.

#2 is a bug in the strength checker but we're likely to have to
continuously work on the upstream software in order to keep things
secure. Without the reward of knowing how much security we're gaining.

#1... I don't have a solution for.

>
> I'm going to disable password reset/account expiration until at least 3 of
> the 4 above are done.
>
> Please hate me a little less now. Thoughts?
>
Would not doing a password expiration but just an account expiration be
okay? I think that we can cover a pretty broad swathe of contributors
with something that ties into people logging into fas (because we use
json to log people in to web services including the wiki and they need
to login to get a certificate to use koji/lookaside). We'd just have to
expire accounts on a longer interval than the ssl certs... like 6 months
for certs and 7 months for accounts.

Thoughts on implementing alternate means of checking activity here:
https://fedorahosted.org/fedora-infrastructure/ticket/1237

-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 04:35 PM
Mike McGrath
 
Default Password resets

On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
> >
> 5. Password resets could be introducing less secure passwords. This
> one's hard for me to quantify. If you use a strong password the first
> time, what's the likelihood that each reset will bring some number of
> users to use an insecure password? What's the likelihood of someone
> using an insecure password to use a more secure password next time (?
>
> This can be partially mitigated by using a password strength checker but
> it was pointed out to me that a strength checker 1) doesn't catch things
> like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
> as devious as someone trying to crack passwords.
>
> #2 is a bug in the strength checker but we're likely to have to
> continuously work on the upstream software in order to keep things
> secure. Without the reward of knowing how much security we're gaining.
>
> #1... I don't have a solution for.
>

I'd think http://www.nongnu.org/python-crack/ is a good start.

>
> Would not doing a password expiration but just an account expiration be
> okay? I think that we can cover a pretty broad swathe of contributors
> with something that ties into people logging into fas (because we use
> json to log people in to web services including the wiki and they need
> to login to get a certificate to use koji/lookaside). We'd just have to
> expire accounts on a longer interval than the ssl certs... like 6 months
> for certs and 7 months for accounts.
>
> Thoughts on implementing alternate means of checking activity here:
> https://fedorahosted.org/fedora-infrastructure/ticket/1237
>

I think we shouldn't go too far out of our way for people that can't
follow directions. Harsh? Yes, but what we asked of people was
incredibly trivial. I'd be fine with asking people to log in but I'd
think we'll find lots of people find that confusing. Logging in and
setting your password is a task that has a clear begining and end. I can
see people logging in expecting to see further directions and then asking
"now what"?

We've just got so much else to do I'd hate to spend a lot of time and
effort to please a few people that can't spend less then a minute a year
(15 seconds every 2 months) to log in and type their password a couple of
times and the people that complained couldn't do that.

If someone has time to implement some grand scheme, that's fine. I know I
don't. The changes suggested about aliases and home dirs are good ones.

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 04:49 PM
Mike Bonnet
 
Default Password resets

Toshio Kuratomi wrote:
> Mike McGrath wrote:
>> So holy crap does the planet hate it when you ask people to reset their
>> passwords. In particular though, they hated the following:
>>
>> 1. Kittens
>>
>> 2. "Password Expiration" is confusing and does not imply "account
>> expiration". Some may have ignored the warning because they did not
>> understand what the consequences were.
>>
>> 3. Mail aliases going away. This one's legit and accounts for the only
>> data loss we actually had.
>>
>> 4. fedorapeople space going away and not coming back automatically.
>
> Possible implementation here:
> https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1
>
> 5. Password resets could be introducing less secure passwords. This
> one's hard for me to quantify. If you use a strong password the first
> time, what's the likelihood that each reset will bring some number of
> users to use an insecure password? What's the likelihood of someone
> using an insecure password to use a more secure password next time (?
>
> This can be partially mitigated by using a password strength checker but
> it was pointed out to me that a strength checker 1) doesn't catch things
> like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
> as devious as someone trying to crack passwords.
>
> #2 is a bug in the strength checker but we're likely to have to
> continuously work on the upstream software in order to keep things
> secure. Without the reward of knowing how much security we're gaining.
>
> #1... I don't have a solution for.
>
>> I'm going to disable password reset/account expiration until at least 3 of
>> the 4 above are done.
>>
>> Please hate me a little less now. Thoughts?
>>
> Would not doing a password expiration but just an account expiration be
> okay? I think that we can cover a pretty broad swathe of contributors
> with something that ties into people logging into fas (because we use
> json to log people in to web services including the wiki and they need
> to login to get a certificate to use koji/lookaside). We'd just have to
> expire accounts on a longer interval than the ssl certs... like 6 months
> for certs and 7 months for accounts.

+1

Even if they were required to log in to the FAS web UI as an indication
that their account was still active, I think that would be preferable to
forced password resets.

> Thoughts on implementing alternate means of checking activity here:
> https://fedorahosted.org/fedora-infrastructure/ticket/1237

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 04:52 PM
Lyos Gemini Norezel
 
Default Password resets

Mike McGrath wrote:

I think we shouldn't go too far out of our way for people that can't
follow directions. Harsh? Yes, but what we asked of people was
incredibly trivial. I'd be fine with asking people to log in but I'd
think we'll find lots of people find that confusing. Logging in and
setting your password is a task that has a clear begining and end. I can
see people logging in expecting to see further directions and then asking
"now what"?



Why tell them at all? If you change it to 'activity shown on account'
(which, IMNSHO, is
the proper way)... the only reason for having people login will be
immediately obvious via
a properly worded email (ie., "Due to inactivity on your FAS account,
your account will be

terminated in 1 month, unless the following steps are taken...").


We've just got so much else to do I'd hate to spend a lot of time and
effort to please a few people that can't spend less then a minute a year
(15 seconds every 2 months) to log in and type their password a couple of
times and the people that complained couldn't do that.



Many fail to realize that the same password they used before could be
used again.

Hence the complaints.
People don't like having to remember new passwords every couple of months.
It's irritating and really unnecessary, not to mention the new security
holes you open

(as Toshio, partially, explained in his email).

Lyos Gemini Norezel
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 05:09 PM
Mike McGrath
 
Default Password resets

On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:

> Mike McGrath wrote:
> > I think we shouldn't go too far out of our way for people that can't
> > follow directions. Harsh? Yes, but what we asked of people was
> > incredibly trivial. I'd be fine with asking people to log in but I'd
> > think we'll find lots of people find that confusing. Logging in and
> > setting your password is a task that has a clear begining and end. I can
> > see people logging in expecting to see further directions and then asking
> > "now what"?
> >
>
> Why tell them at all? If you change it to 'activity shown on account' (which,
> IMNSHO, is

NSHO? who are you?

> the proper way)... the only reason for having people login will be immediately
> obvious via
> a properly worded email (ie., "Due to inactivity on your FAS account, your
> account will be
> terminated in 1 month, unless the following steps are taken...").
>

The only common point of entry for all of our services is the account
system and people rarely use it without being asked to so we'll still have
to do some emailing.

> > We've just got so much else to do I'd hate to spend a lot of time and
> > effort to please a few people that can't spend less then a minute a year
> > (15 seconds every 2 months) to log in and type their password a couple of
> > times and the people that complained couldn't do that.
> >
>
> Many fail to realize that the same password they used before could be used
> again.
> Hence the complaints.

Ehh, no. Almost no one has complained that they actually had to change
their password to something else. And you can be damn sure I'll spell
that out explicitly in the next email so everyone gets it.

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 05:10 PM
Toshio Kuratomi
 
Default Password resets

Mike McGrath wrote:
> On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
>> 5. Password resets could be introducing less secure passwords. This
>> one's hard for me to quantify. If you use a strong password the first
>> time, what's the likelihood that each reset will bring some number of
>> users to use an insecure password? What's the likelihood of someone
>> using an insecure password to use a more secure password next time (?
>>
>> This can be partially mitigated by using a password strength checker but
>> it was pointed out to me that a strength checker 1) doesn't catch things
>> like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't
>> as devious as someone trying to crack passwords.
>>
>> #2 is a bug in the strength checker but we're likely to have to
>> continuously work on the upstream software in order to keep things
>> secure. Without the reward of knowing how much security we're gaining.
>>
>> #1... I don't have a solution for.
>>
>
> I'd think http://www.nongnu.org/python-crack/ is a good start.
>
This addresses #2. But doesn't address #1. If my password is
2005-03-11HutchinsonSnoopy a password strength checker isn't going to
find that an especially weak password but a cracker that's researching
their targets has a decent chance of figuring it out.

>> Would not doing a password expiration but just an account expiration be
>> okay? I think that we can cover a pretty broad swathe of contributors
>> with something that ties into people logging into fas (because we use
>> json to log people in to web services including the wiki and they need
>> to login to get a certificate to use koji/lookaside). We'd just have to
>> expire accounts on a longer interval than the ssl certs... like 6 months
>> for certs and 7 months for accounts.
>>
>> Thoughts on implementing alternate means of checking activity here:
>> https://fedorahosted.org/fedora-infrastructure/ticket/1237
>>
>
> I think we shouldn't go too far out of our way for people that can't
> follow directions. Harsh? Yes, but what we asked of people was
> incredibly trivial. I'd be fine with asking people to log in but I'd
> think we'll find lots of people find that confusing. Logging in and
> setting your password is a task that has a clear begining and end. I can
> see people logging in expecting to see further directions and then asking
> "now what"?
>
> We've just got so much else to do I'd hate to spend a lot of time and
> effort to please a few people that can't spend less then a minute a year
> (15 seconds every 2 months) to log in and type their password a couple of
> times and the people that complained couldn't do that.
>
This isn't too hard to do, though. On the data saving side, we just
need fas to record the current timestamp in lastseen whenever someone
logs into fas.

On the expiry side, we need to check the lastseen date instead of the
password_change date.

So it's just explaining to people how to show they're still active....

-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-11-2009, 05:22 PM
Toshio Kuratomi
 
Default Password resets

Mike McGrath wrote:
> On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
>
>> the proper way)... the only reason for having people login will be immediately
>> obvious via
>> a properly worded email (ie., "Due to inactivity on your FAS account, your
>> account will be
>> terminated in 1 month, unless the following steps are taken...").
>>
>
> The only common point of entry for all of our services is the account
> system and people rarely use it without being asked to so we'll still have
> to do some emailing.
>
That's actually only sort of true. People don't use FAS often... but
they do logon to FAS whenever they log onto the other web apps.

-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 05:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org