On Wed, May 30, 2012 at 9:41 AM, Fabio M. Di Nitto <fdinitto(a)redhat.com> wrote:
On 5/29/2012 11:45 PM, Andre Robatino wrote:
> Kevin Fenzi <kevin@...> writes:
>
>> I think adding a 'security question(s)' feature would be great.
>>
>> I would strongly suggest however that the questions and answers be free
>> form. There's little security in canned security questions that have
>> answers people can find out. ie, 'What was your high school?'
>
> I just use a password manager and if a site forces me to answer "security"
> questions, I put them in the Notes section using strong random passwords for the
> answers. For example
>
> What was your high school? 48ZGrNaDQR75
>
> I think the security questions should be optional in any case to save the
> trouble of having to make and store several strong random passwords rather than
> just one.
Or maybe have primary (company?) email and private email registered.
Instead of re-inventing a whole new chunk of code by introducing a
security question and all, simple allow 2 emails to be valid at any
given time.
Another possibility would be to let 2 people from an "important" group
guarantee, that the person requesting access to an account is the
proper one.
e.g. when you know 2 ambassadors/packager/translator/whatever in
person or somewhere else, you can be sure, it's the same one, I don't
see a reason to get him/her access to the account again.
This is kind of similar to verifying the GPG key given in the account.
(hint: "Important" group above means non-cla and non-fedorahosted-git*
group for me.)
Greetings,
Tom