On Mon, 28 May 2012, Larry Brower wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 05/28/2012 05:32 PM, David Nalley wrote:


There is such a feature already. It does require access to email though.

If he has contacts that still control access to the email - surely he
could use the 'forgotten password' functionality and have individuals
in control of said email forward it along.

--David



Couldn't we expand on this feature to allow somethign like answering
"account security questions" similar to how banks and other
organizations do ?



If you're offering a patch to do this I am certain that we could. However,
implementing such a feature requires developer time that is not
immediately available, otherwise.


I don't mean this dismissively - if you're interested in working on it -
then yes - absolutely, please.


-sv



_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Probably what we need is an alternative email feature to allow recover
password if you have not access to your main email and it to the recover
password option

my two cents.


On Mon, 2012-05-28 at 18:32 -0400, David Nalley wrote:
> On Mon, May 28, 2012 at 6:26 PM, Larry Brower <larry@maxqe.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On 05/28/2012 05:24 PM, Chris Dix wrote:
> >> If they don't remember their password to log into their account and
> >> their email address is no longer valid, they should do what the rest of
> >> us do and create another account.
> >>
> >> Chris
> >>
> >
> > I would agree that this is the best option. Perhaps we should research
> > adding a "password / login recovery " feature.
> >
>
> There is such a feature already. It does require access to email though.
>
> If he has contacts that still control access to the email - surely he
> could use the 'forgotten password' functionality and have individuals
> in control of said email forward it along.
>
> --David
> _______________________________________________
> infrastructure mailing list
> infrastructure@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure


_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

either 'account security questions' or sending a validation code as SMS to a mobile are the options.
implementing 'account security questions' is much cheaper as SMS solution cost small amount for each SMS*



On Tue, May 29, 2012 at 6:01 AM, Alejandro Pérez <alejandro.perez.torres@gmail.com> wrote:


Probably what we need is an alternative email feature to allow recover

password if you have not access to your main email and it to the recover

password option



my two cents.





On Mon, 2012-05-28 at 18:32 -0400, David Nalley wrote:

> On Mon, May 28, 2012 at 6:26 PM, Larry Brower <larry@maxqe.com> wrote:

> > -----BEGIN PGP SIGNED MESSAGE-----

> > Hash: SHA512

> >

> > On 05/28/2012 05:24 PM, Chris Dix wrote:

> >> If they don't remember their password to log into their account and

> >> their email address is no longer valid, they should do what the rest of

> >> us do and create another account.

> >>

> >> Chris

> >>

> >

> > I would agree that this is the best option. Perhaps we should research

> > adding a "password / login recovery " feature.

> >

>

> There is such a feature already. It does require access to email though.

>

> If he has contacts that still control access to the email - surely he

> could use the 'forgotten password' functionality and have individuals

> in control of said email forward it along.

>

> --David

> _______________________________________________

> infrastructure mailing list

> infrastructure@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/infrastructure





_______________________________________________

infrastructure mailing list

infrastructure@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/infrastructure

--
Danishka Navin


http://danishkanavin.blogspot.com
http://twitter.com/danishkanavin
http://www.flickr.com/photos/danishkanavin/







_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

I think adding a 'security question(s)' feature would be great.

I would strongly suggest however that the questions and answers be free
form. There's little security in canned security questions that have
answers people can find out. ie, 'What was your high school?'

Anyhow, sounds like a nice feature for someone to work on.

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Kevin Fenzi <kevin@...> writes:

> I think adding a 'security question(s)' feature would be great.
>
> I would strongly suggest however that the questions and answers be free
> form. There's little security in canned security questions that have
> answers people can find out. ie, 'What was your high school?'

I just use a password manager and if a site forces me to answer "security"
questions, I put them in the Notes section using strong random passwords for the
answers. For example

What was your high school? 48ZGrNaDQR75

I think the security questions should be optional in any case to save the
trouble of having to make and store several strong random passwords rather than
just one.


_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

On 5/29/2012 11:45 PM, Andre Robatino wrote:
> Kevin Fenzi <kevin@...> writes:
>
>> I think adding a 'security question(s)' feature would be great.
>>
>> I would strongly suggest however that the questions and answers be free
>> form. There's little security in canned security questions that have
>> answers people can find out. ie, 'What was your high school?'
>
> I just use a password manager and if a site forces me to answer "security"
> questions, I put them in the Notes section using strong random passwords for the
> answers. For example
>
> What was your high school? 48ZGrNaDQR75
>
> I think the security questions should be optional in any case to save the
> trouble of having to make and store several strong random passwords rather than
> just one.

Or maybe have primary (company?) email and private email registered.

Instead of re-inventing a whole new chunk of code by introducing a
security question and all, simple allow 2 emails to be valid at any
given time.

Fabio
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

On Wed, May 30, 2012 at 9:41 AM, Fabio M. Di Nitto <fdinitto@redhat.com> wrote:
> On 5/29/2012 11:45 PM, Andre Robatino wrote:
>> Kevin Fenzi <kevin@...> writes:
>>
>>> I think adding a 'security question(s)' feature would be great.
>>>
>>> I would strongly suggest however that the questions and answers be free
>>> form. There's little security in canned security questions that have
>>> answers people can find out. ie, 'What was your high school?'
>>
>> I just use a password manager and if a site forces me to answer "security"
>> questions, I put them in the Notes section using strong random passwords for the
>> answers. For example
>>
>> What was your high school? 48ZGrNaDQR75
>>
>> I think the security questions should be optional in any case to save the
>> trouble of having to make and store several strong random passwords rather than
>> just one.
>
> Or maybe have primary (company?) email and private email registered.
>
> Instead of re-inventing a whole new chunk of code by introducing a
> security question and all, simple allow 2 emails to be valid at any
> given time.

Another possibility would be to let 2 people from an "important" group
guarantee, that the person requesting access to an account is the
proper one.
e.g. when you know 2 ambassadors/packager/translator/whatever in
person or somewhere else, you can be sure, it's the same one, I don't
see a reason to get him/her access to the account again.
This is kind of similar to verifying the GPG key given in the account.

(hint: "Important" group above means non-cla and non-fedorahosted-git*
group for me.)

Greetings,
Tom
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Fabio,


If you implement a password recovery feature, that would email the new password to the user. That does no good if they don't have access to their email account.


We probably do want an alternate email that can be used for these situations.


Chris

On May 30, 2012 3:41 AM, "Fabio M. Di Nitto" <fdinitto@redhat.com> wrote:
On 5/29/2012 11:45 PM, Andre Robatino wrote:

> Kevin Fenzi <kevin@...> writes:

>

>> I think adding a 'security question(s)' feature would be great.

>>

>> I would strongly suggest however that the questions and answers be free

>> form. There's little security in canned security questions that have

>> answers people can find out. ie, 'What was your high school?'

>

> I just use a password manager and if a site forces me to answer "security"

> questions, I put them in the Notes section using strong random passwords for the

> answers. For example

>

> What was your high school? 48ZGrNaDQR75

>

> I think the security questions should be optional in any case to save the

> trouble of having to make and store several strong random passwords rather than

> just one.



Or maybe have primary (company?) email and private email registered.



Instead of re-inventing a whole new chunk of code by introducing a

security question and all, simple allow 2 emails to be valid at any

given time.



Fabio

_______________________________________________

infrastructure mailing list

infrastructure@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/infrastructure
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure