On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
Mike McGrath wrote:
> On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
>
>
> > Mike McGrath wrote:
> >
> > > I think we shouldn't go too far out of our way for people that
can't
> > > follow directions. Harsh? Yes, but what we asked of people was
> > > incredibly trivial. I'd be fine with asking people to log in but
I'd
> > > think we'll find lots of people find that confusing. Logging in and
> > > setting your password is a task that has a clear begining and end. I
> > > can
> > > see people logging in expecting to see further directions and then
> > > asking
> > > "now what"?
> > >
> > >
> > Why tell them at all? If you change it to 'activity shown on account'
> > (which,
> > IMNSHO, is
> >
>
> NSHO? who are you?
>
*Sigh*...
I did not really wish to reveal this, in public, however, since you asked...
I'm a former blackhat hacker, whom the government has banned from working ANY
security and/or government job.
Suffice it to say, I understand security (or lack thereof) better than most,
though I may be rusty/out of date in some areas.
I do not tell you this to brag, I actually regret my past more and more as I
get older.
My 'prior life' has bought me more pain than glory.
I discovered long ago there's no glory in what we do. Gotta fight the
good fight just because it's there.
> > the proper way)... the only reason for having people login
will be
> > immediately
> > obvious via
> > a properly worded email (ie., "Due to inactivity on your FAS account,
your
> > account will be
> > terminated in 1 month, unless the following steps are taken...").
> >
> >
>
> The only common point of entry for all of our services is the account
> system and people rarely use it without being asked to so we'll still have
> to do some emailing.
>
>
Aren't pkgdb, koji, bodhi and other services all apart of FAS?
If I'm right here... then I suspect people are logging into FAS more often
than you believe.
Not all of them auth in the same way unfortunately and it's not as quick
of a fix as it sounds like.
> > > We've just got so much else to do I'd hate to
spend a lot of time and
> > > effort to please a few people that can't spend less then a minute a
year
> > > (15 seconds every 2 months) to log in and type their password a couple
> > > of
> > > times and the people that complained couldn't do that.
> > >
> > >
> > Many fail to realize that the same password they used before could be used
> > again.
> > Hence the complaints.
> >
>
> Ehh, no. Almost no one has complained that they actually had to change
> their password to something else. And you can be damn sure I'll spell
> that out explicitly in the next email so everyone gets it.
>
> -Mike
>
As Toshio has already brought up on this list (after I brought it to his
attention)... people
have a tendency to select progressively weaker passwords every time they are
forced to change one.
So your idea of 'security' is actually INTRODUCING more holes than it's
plugging.
It's not my idea of security, it's my idea of a task. I just want some
concrete thing that has a begining, middle, and end for people to do so we
can prune accounts. Logging in and typing your password a couple of time
(and keeping it the same thing). Doesn't sound like it's introducing or
removing any holes.
Sorry to hear you won't be discussing it further.
-Mike