So holy crap does the planet hate it when you ask people to reset their passwords. In particular though, they hated the following:
1. Kittens
2. "Password Expiration" is confusing and does not imply "account expiration". Some may have ignored the warning because they did not understand what the consequences were.
3. Mail aliases going away. This one's legit and accounts for the only data loss we actually had.
4. fedorapeople space going away and not coming back automatically.
[1] requires the killing of all kittens
[2] just requires a better email to go out, possibly with a link to a wiki page. It'd be good for this to be translated.
[3] requires another "account" type or at least fasClient to be smart enough to know how old the 'inactive' account is. I'd suggest a month or so.
[4] requires us to restore whatever is in /home/fedora.bak/$username.$timestamp at the time the account becomes active again. We won't leave $username.fedorapeople.org up for security / liability reasons. But we will make it transparent to the user that it looks like their stuff never went away.
I'm going to disable password reset/account expiration until at least 3 of the 4 above are done.
Please hate me a little less now. Thoughts?
-Mike
On Tue, Mar 10, 2009 at 08:41:33PM -0500, Mike McGrath wrote:
So holy crap does the planet hate it when you ask people to reset their passwords. In particular though, they hated the following:
Kittens
"Password Expiration" is confusing and does not imply "account
expiration". Some may have ignored the warning because they did not understand what the consequences were.
- Mail aliases going away. This one's legit and accounts for the only
data loss we actually had.
- fedorapeople space going away and not coming back automatically.
[1] requires the killing of all kittens
[2] just requires a better email to go out, possibly with a link to a wiki page. It'd be good for this to be translated.
[3] requires another "account" type or at least fasClient to be smart enough to know how old the 'inactive' account is. I'd suggest a month or so.
[4] requires us to restore whatever is in /home/fedora.bak/$username.$timestamp at the time the account becomes active again. We won't leave $username.fedorapeople.org up for security / liability reasons. But we will make it transparent to the user that it looks like their stuff never went away.
I'm going to disable password reset/account expiration until at least 3 of the 4 above are done.
Well I'm gonna safely assume that we won't kill all the kittens in time for the next one... :)
On Tue, Mar 10, 2009 at 7:41 PM, Mike McGrath mmcgrath@redhat.com wrote:
So holy crap does the planet hate it when you ask people to reset their passwords. In particular though, they hated the following:
- Kittens
Personally I thought people were having kittens for all the 'problems' occurring. Maybe we should set up an adoption agency? The main thing with password changes is that a segment of the society does not like them <PERIOD>. They will quote spafford, etc etc about how its wrong to change passwords and with some members of our faculty do a virtual sit-out in protest. In general I hand them some lemons and tell them to make lemonade. [But that is why I am probably going to see our HR rep about..]
Normally our policy for accounts is the following: 15 day email saying your account will be locked, and then deleted 15 days after lock. 7 day email saying your account will be locked, and then deleted 15 days after lock. 1 day email saying your account will be locked. and then 1 day email saying your account is locked and will be deleted in 15 days. 7 day email saying... you get the picture
If a person does not get the message within that time frame... well that is life. If we are going to schedule these for a precise period (say first week of March, September (if 180 day timeframe)) a mail can go out to the list also.
Mike McGrath wrote:
So holy crap does the planet hate it when you ask people to reset their passwords. In particular though, they hated the following:
Kittens
"Password Expiration" is confusing and does not imply "account
expiration". Some may have ignored the warning because they did not understand what the consequences were.
- Mail aliases going away. This one's legit and accounts for the only
data loss we actually had.
- fedorapeople space going away and not coming back automatically.
Possible implementation here: https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1
5. Password resets could be introducing less secure passwords. This one's hard for me to quantify. If you use a strong password the first time, what's the likelihood that each reset will bring some number of users to use an insecure password? What's the likelihood of someone using an insecure password to use a more secure password next time (?
This can be partially mitigated by using a password strength checker but it was pointed out to me that a strength checker 1) doesn't catch things like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't as devious as someone trying to crack passwords.
#2 is a bug in the strength checker but we're likely to have to continuously work on the upstream software in order to keep things secure. Without the reward of knowing how much security we're gaining.
#1... I don't have a solution for.
I'm going to disable password reset/account expiration until at least 3 of the 4 above are done.
Please hate me a little less now. Thoughts?
Would not doing a password expiration but just an account expiration be okay? I think that we can cover a pretty broad swathe of contributors with something that ties into people logging into fas (because we use json to log people in to web services including the wiki and they need to login to get a certificate to use koji/lookaside). We'd just have to expire accounts on a longer interval than the ssl certs... like 6 months for certs and 7 months for accounts.
Thoughts on implementing alternate means of checking activity here: https://fedorahosted.org/fedora-infrastructure/ticket/1237
-Toshio
On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
- Password resets could be introducing less secure passwords. This
one's hard for me to quantify. If you use a strong password the first time, what's the likelihood that each reset will bring some number of users to use an insecure password? What's the likelihood of someone using an insecure password to use a more secure password next time (?
This can be partially mitigated by using a password strength checker but it was pointed out to me that a strength checker 1) doesn't catch things like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't as devious as someone trying to crack passwords.
#2 is a bug in the strength checker but we're likely to have to continuously work on the upstream software in order to keep things secure. Without the reward of knowing how much security we're gaining.
#1... I don't have a solution for.
I'd think http://www.nongnu.org/python-crack/ is a good start.
Would not doing a password expiration but just an account expiration be okay? I think that we can cover a pretty broad swathe of contributors with something that ties into people logging into fas (because we use json to log people in to web services including the wiki and they need to login to get a certificate to use koji/lookaside). We'd just have to expire accounts on a longer interval than the ssl certs... like 6 months for certs and 7 months for accounts.
Thoughts on implementing alternate means of checking activity here: https://fedorahosted.org/fedora-infrastructure/ticket/1237
I think we shouldn't go too far out of our way for people that can't follow directions. Harsh? Yes, but what we asked of people was incredibly trivial. I'd be fine with asking people to log in but I'd think we'll find lots of people find that confusing. Logging in and setting your password is a task that has a clear begining and end. I can see people logging in expecting to see further directions and then asking "now what"?
We've just got so much else to do I'd hate to spend a lot of time and effort to please a few people that can't spend less then a minute a year (15 seconds every 2 months) to log in and type their password a couple of times and the people that complained couldn't do that.
If someone has time to implement some grand scheme, that's fine. I know I don't. The changes suggested about aliases and home dirs are good ones.
-Mike
Mike McGrath wrote:
I think we shouldn't go too far out of our way for people that can't follow directions. Harsh? Yes, but what we asked of people was incredibly trivial. I'd be fine with asking people to log in but I'd think we'll find lots of people find that confusing. Logging in and setting your password is a task that has a clear begining and end. I can see people logging in expecting to see further directions and then asking "now what"?
Why tell them at all? If you change it to 'activity shown on account' (which, IMNSHO, is the proper way)... the only reason for having people login will be immediately obvious via a properly worded email (ie., "Due to inactivity on your FAS account, your account will be terminated in 1 month, unless the following steps are taken...").
We've just got so much else to do I'd hate to spend a lot of time and effort to please a few people that can't spend less then a minute a year (15 seconds every 2 months) to log in and type their password a couple of times and the people that complained couldn't do that.
Many fail to realize that the same password they used before could be used again. Hence the complaints. People don't like having to remember new passwords every couple of months. It's irritating and really unnecessary, not to mention the new security holes you open (as Toshio, partially, explained in his email).
Lyos Gemini Norezel
On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
Mike McGrath wrote:
I think we shouldn't go too far out of our way for people that can't follow directions. Harsh? Yes, but what we asked of people was incredibly trivial. I'd be fine with asking people to log in but I'd think we'll find lots of people find that confusing. Logging in and setting your password is a task that has a clear begining and end. I can see people logging in expecting to see further directions and then asking "now what"?
Why tell them at all? If you change it to 'activity shown on account' (which, IMNSHO, is
NSHO? who are you?
the proper way)... the only reason for having people login will be immediately obvious via a properly worded email (ie., "Due to inactivity on your FAS account, your account will be terminated in 1 month, unless the following steps are taken...").
The only common point of entry for all of our services is the account system and people rarely use it without being asked to so we'll still have to do some emailing.
We've just got so much else to do I'd hate to spend a lot of time and effort to please a few people that can't spend less then a minute a year (15 seconds every 2 months) to log in and type their password a couple of times and the people that complained couldn't do that.
Many fail to realize that the same password they used before could be used again. Hence the complaints.
Ehh, no. Almost no one has complained that they actually had to change their password to something else. And you can be damn sure I'll spell that out explicitly in the next email so everyone gets it.
-Mike
Mike McGrath wrote:
On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
the proper way)... the only reason for having people login will be immediately obvious via a properly worded email (ie., "Due to inactivity on your FAS account, your account will be terminated in 1 month, unless the following steps are taken...").
The only common point of entry for all of our services is the account system and people rarely use it without being asked to so we'll still have to do some emailing.
That's actually only sort of true. People don't use FAS often... but they do logon to FAS whenever they log onto the other web apps.
-Toshio
On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
Mike McGrath wrote:
On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
the proper way)... the only reason for having people login will be immediately obvious via a properly worded email (ie., "Due to inactivity on your FAS account, your account will be terminated in 1 month, unless the following steps are taken...").
The only common point of entry for all of our services is the account system and people rarely use it without being asked to so we'll still have to do some emailing.
That's actually only sort of true. People don't use FAS often... but they do logon to FAS whenever they log onto the other web apps.
Just make the pain go away, it's clear that password resets are too much for people to handle.
-Mike
Mike McGrath wrote:
On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
Mike McGrath wrote:
I think we shouldn't go too far out of our way for people that can't follow directions. Harsh? Yes, but what we asked of people was incredibly trivial. I'd be fine with asking people to log in but I'd think we'll find lots of people find that confusing. Logging in and setting your password is a task that has a clear begining and end. I can see people logging in expecting to see further directions and then asking "now what"?
Why tell them at all? If you change it to 'activity shown on account' (which, IMNSHO, is
NSHO? who are you?
*Sigh*...
I did not really wish to reveal this, in public, however, since you asked...
I'm a former blackhat hacker, whom the government has banned from working ANY security and/or government job.
Suffice it to say, I understand security (or lack thereof) better than most, though I may be rusty/out of date in some areas.
I do not tell you this to brag, I actually regret my past more and more as I get older. My 'prior life' has bought me more pain than glory.
the proper way)... the only reason for having people login will be immediately obvious via a properly worded email (ie., "Due to inactivity on your FAS account, your account will be terminated in 1 month, unless the following steps are taken...").
The only common point of entry for all of our services is the account system and people rarely use it without being asked to so we'll still have to do some emailing.
Aren't pkgdb, koji, bodhi and other services all apart of FAS? If I'm right here... then I suspect people are logging into FAS more often than you believe.
We've just got so much else to do I'd hate to spend a lot of time and effort to please a few people that can't spend less then a minute a year (15 seconds every 2 months) to log in and type their password a couple of times and the people that complained couldn't do that.
Many fail to realize that the same password they used before could be used again. Hence the complaints.
Ehh, no. Almost no one has complained that they actually had to change their password to something else. And you can be damn sure I'll spell that out explicitly in the next email so everyone gets it.
-Mike
As Toshio has already brought up on this list (after I brought it to his attention)... people have a tendency to select progressively weaker passwords every time they are forced to change one.
So your idea of 'security' is actually INTRODUCING more holes than it's plugging.
This is where my contribution to this argument ends.
I am not interested in fighting and the raised blood pressure that goes with it.
I have enough stress in my life... I am not about to add another debate/argument to that list.
Take my advice or don't... just don't expect me to do anything other than laugh and say 'told ya so', when I prove correct.
Good luck (despite my 'tone' above, I mean that),
Lyos Gemini Norezel
On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
Mike McGrath wrote:
On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
Mike McGrath wrote:
I think we shouldn't go too far out of our way for people that can't follow directions. Harsh? Yes, but what we asked of people was incredibly trivial. I'd be fine with asking people to log in but I'd think we'll find lots of people find that confusing. Logging in and setting your password is a task that has a clear begining and end. I can see people logging in expecting to see further directions and then asking "now what"?
Why tell them at all? If you change it to 'activity shown on account' (which, IMNSHO, is
NSHO? who are you?
*Sigh*...
I did not really wish to reveal this, in public, however, since you asked...
I'm a former blackhat hacker, whom the government has banned from working ANY security and/or government job.
Suffice it to say, I understand security (or lack thereof) better than most, though I may be rusty/out of date in some areas.
I do not tell you this to brag, I actually regret my past more and more as I get older. My 'prior life' has bought me more pain than glory.
I discovered long ago there's no glory in what we do. Gotta fight the good fight just because it's there.
the proper way)... the only reason for having people login will be immediately obvious via a properly worded email (ie., "Due to inactivity on your FAS account, your account will be terminated in 1 month, unless the following steps are taken...").
The only common point of entry for all of our services is the account system and people rarely use it without being asked to so we'll still have to do some emailing.
Aren't pkgdb, koji, bodhi and other services all apart of FAS? If I'm right here... then I suspect people are logging into FAS more often than you believe.
Not all of them auth in the same way unfortunately and it's not as quick of a fix as it sounds like.
We've just got so much else to do I'd hate to spend a lot of time and effort to please a few people that can't spend less then a minute a year (15 seconds every 2 months) to log in and type their password a couple of times and the people that complained couldn't do that.
Many fail to realize that the same password they used before could be used again. Hence the complaints.
Ehh, no. Almost no one has complained that they actually had to change their password to something else. And you can be damn sure I'll spell that out explicitly in the next email so everyone gets it.
-Mike
As Toshio has already brought up on this list (after I brought it to his attention)... people have a tendency to select progressively weaker passwords every time they are forced to change one.
So your idea of 'security' is actually INTRODUCING more holes than it's plugging.
It's not my idea of security, it's my idea of a task. I just want some concrete thing that has a begining, middle, and end for people to do so we can prune accounts. Logging in and typing your password a couple of time (and keeping it the same thing). Doesn't sound like it's introducing or removing any holes.
Sorry to hear you won't be discussing it further.
-Mike
Mike McGrath wrote:
I discovered long ago there's no glory in what we do. Gotta fight the good fight just because it's there.
There's a truism I wish I'd never heard.
It's not my idea of security, it's my idea of a task. I just want some concrete thing that has a begining, middle, and end for people to do so we can prune accounts. Logging in and typing your password a couple of time (and keeping it the same thing). Doesn't sound like it's introducing or removing any holes.
As I said before, it seems, that not everyone understood that. Most (apparently) thought the password had to be changed. That's what will introduce new holes that didn't exist before.
I think the major portion of confusion here is the standards set by 'free' email services, where a 'password reset' means selecting and entering a new password (this is also common in corporate settings).
I'm simply suggesting that it'll be easier/more secure to handle by way of logging 'login times' than the way it is currently being handled.
It may well prove to be more work than was wanted... but more work is often better than a reduction in security.
Sorry to hear you won't be discussing it further.
-Mike
Toshio has the majority of my arguments from our recent discussions. I am willing to clear up confusion in my arguments, should they arise, but I will not fight.
My mind (and body) simply cannot handle the stress of debating/arguing/fighting, and seeing as this is the kind of discussion that can quickly run out of control, I am simply stating my intention not to get involved in another fight.
Lyos Gemini Norezel
I'm coming to this discussion without much background, so apologies if I am missing something, but from what I gather all you're trying to do is check for active contributors? If so, why not send an email along the following lines instead of requiring password resets?
"According to our records you are a contributor to the Fedora project. We periodically check that all our contributors are still active so that we can clean up old accounts and save some server room. If you would like to keep your Fedora account, please click the link below. Should you not have visited the link below by x, we will remove your account.
http://admin.fedoraproject.org/accounts/verify/myemail@fp.o
You have one month until your account will be removed."
In these circumstances I find short, clear emails with a clear statement of consequences gets across best...
Simon
Mike McGrath wrote:
On Wed, 11 Mar 2009, Toshio Kuratomi wrote:
- Password resets could be introducing less secure passwords. This
one's hard for me to quantify. If you use a strong password the first time, what's the likelihood that each reset will bring some number of users to use an insecure password? What's the likelihood of someone using an insecure password to use a more secure password next time (?
This can be partially mitigated by using a password strength checker but it was pointed out to me that a strength checker 1) doesn't catch things like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't as devious as someone trying to crack passwords.
#2 is a bug in the strength checker but we're likely to have to continuously work on the upstream software in order to keep things secure. Without the reward of knowing how much security we're gaining.
#1... I don't have a solution for.
I'd think http://www.nongnu.org/python-crack/ is a good start.
This addresses #2. But doesn't address #1. If my password is 2005-03-11HutchinsonSnoopy a password strength checker isn't going to find that an especially weak password but a cracker that's researching their targets has a decent chance of figuring it out.
Would not doing a password expiration but just an account expiration be okay? I think that we can cover a pretty broad swathe of contributors with something that ties into people logging into fas (because we use json to log people in to web services including the wiki and they need to login to get a certificate to use koji/lookaside). We'd just have to expire accounts on a longer interval than the ssl certs... like 6 months for certs and 7 months for accounts.
Thoughts on implementing alternate means of checking activity here: https://fedorahosted.org/fedora-infrastructure/ticket/1237
I think we shouldn't go too far out of our way for people that can't follow directions. Harsh? Yes, but what we asked of people was incredibly trivial. I'd be fine with asking people to log in but I'd think we'll find lots of people find that confusing. Logging in and setting your password is a task that has a clear begining and end. I can see people logging in expecting to see further directions and then asking "now what"?
We've just got so much else to do I'd hate to spend a lot of time and effort to please a few people that can't spend less then a minute a year (15 seconds every 2 months) to log in and type their password a couple of times and the people that complained couldn't do that.
This isn't too hard to do, though. On the data saving side, we just need fas to record the current timestamp in lastseen whenever someone logs into fas.
On the expiry side, we need to check the lastseen date instead of the password_change date.
So it's just explaining to people how to show they're still active....
-Toshio
Toshio Kuratomi wrote:
Mike McGrath wrote:
So holy crap does the planet hate it when you ask people to reset their passwords. In particular though, they hated the following:
Kittens
"Password Expiration" is confusing and does not imply "account
expiration". Some may have ignored the warning because they did not understand what the consequences were.
- Mail aliases going away. This one's legit and accounts for the only
data loss we actually had.
- fedorapeople space going away and not coming back automatically.
Possible implementation here: https://fedorahosted.org/fedora-infrastructure/ticket/1244#comment:1
- Password resets could be introducing less secure passwords. This
one's hard for me to quantify. If you use a strong password the first time, what's the likelihood that each reset will bring some number of users to use an insecure password? What's the likelihood of someone using an insecure password to use a more secure password next time (?
This can be partially mitigated by using a password strength checker but it was pointed out to me that a strength checker 1) doesn't catch things like BIRTHDATE + WIFESNAME + FIRSTPET 2) Strength checkers often aren't as devious as someone trying to crack passwords.
#2 is a bug in the strength checker but we're likely to have to continuously work on the upstream software in order to keep things secure. Without the reward of knowing how much security we're gaining.
#1... I don't have a solution for.
I'm going to disable password reset/account expiration until at least 3 of the 4 above are done.
Please hate me a little less now. Thoughts?
Would not doing a password expiration but just an account expiration be okay? I think that we can cover a pretty broad swathe of contributors with something that ties into people logging into fas (because we use json to log people in to web services including the wiki and they need to login to get a certificate to use koji/lookaside). We'd just have to expire accounts on a longer interval than the ssl certs... like 6 months for certs and 7 months for accounts.
+1
Even if they were required to log in to the FAS web UI as an indication that their account was still active, I think that would be preferable to forced password resets.
Thoughts on implementing alternate means of checking activity here: https://fedorahosted.org/fedora-infrastructure/ticket/1237
infrastructure@lists.fedoraproject.org