Password resets

Wed Mar 11 18:37:42 UTC 2009

Mike McGrath wrote:
> On Wed, 11 Mar 2009, Lyos Gemini Norezel wrote:
>
>   
>> Mike McGrath wrote:
>>     
>>> I think we shouldn't go too far out of our way for people that can't
>>> follow directions.  Harsh?  Yes, but what we asked of people was
>>> incredibly trivial.  I'd be fine with asking people to log in but I'd
>>> think we'll find lots of people find that confusing.  Logging in and
>>> setting your password is a task that has a clear begining and end.  I can
>>> see people logging in expecting to see further directions and then asking
>>> "now what"?
>>>
>>>       
>> Why tell them at all? If you change it to 'activity shown on account' (which,
>> IMNSHO, is
>>     
>
> NSHO?  who are you?
>   

*Sigh*...

I did not really wish to reveal this, in public, however, since you asked...

I'm a former blackhat hacker, whom the government has banned from 
working ANY security and/or government job.

Suffice it to say, I understand security (or lack thereof) better than 
most, though I may be rusty/out of date in some areas.

I do not tell you this to brag, I actually regret my past more and more 
as I get older.
My 'prior life' has bought me more pain than glory.

>> the proper way)... the only reason for having people login will be immediately
>> obvious via
>> a properly worded email (ie., "Due to inactivity on your FAS account, your
>> account will be
>> terminated in 1 month, unless the following steps are taken...").
>>
>>     
>
> The only common point of entry for all of our services is the account
> system and people rarely use it without being asked to so we'll still have
> to do some emailing.
>
>   

Aren't pkgdb, koji, bodhi and other services all apart of FAS?
If I'm right here... then I suspect people are logging into FAS more 
often than you believe.

>>> We've just got so much else to do I'd hate to spend a lot of time and
>>> effort to please a few people that can't spend less then a minute a year
>>> (15 seconds every 2 months) to log in and type their password a couple of
>>> times and the people that complained couldn't do that.
>>>
>>>       
>> Many fail to realize that the same password they used before could be used
>> again.
>> Hence the complaints.
>>     
>
> Ehh, no.  Almost no one has complained that they actually had to change
> their password to something else.  And you can be damn sure I'll spell
> that out explicitly in the next email so everyone gets it.
>
> 	-Mike
>   

As Toshio has already brought up on this list (after I brought it to his 
attention)... people
have a tendency to select progressively weaker passwords every time they 
are forced to change one.

So your idea of 'security' is actually INTRODUCING more holes than it's 
plugging.

This is where my contribution to this argument ends.

I am not interested in fighting and the raised blood pressure that goes 
with it.

I have enough stress in my life... I am not about to add another 
debate/argument to that list.

Take my advice or don't... just don't expect me to do anything other 
than laugh and say 'told ya so',
when I prove correct.

Good luck (despite my 'tone' above, I mean that),

Lyos Gemini Norezel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Lyos_GeminiNorezel.vcf
Type: text/x-vcard
Size: 428 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090311/f16e848d/attachment.vcf>