Bugzilla – Full Text Bug Listing
| Summary: | Enforce stronger bugzilla passwords | ||
|---|---|---|---|
| Product: | Community | Reporter: | Martin Oberhuber <mober.at+eclipse> |
| Component: | Bugzilla | Assignee: | Eclipse Webmaster <webmaster> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | enhancement | ||
| Priority: | P3 | CC: | denis.roy, eclipse.org-architecture-council, gunnar, john.arthorne, krzysztof.daniel, remy.suen, sbouchet, wayne.beaton |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
|
Description
Martin Oberhuber
Make it just longer. Explanation here: http://xkcd.com/936/ +1 on long, easy passwords (or passphrases, if you will). Could you provide an easy password strength checker next the password box ? this should warn people their password does not meet requirement to have strong passwords. FWIW, when the authentication was changed from Bugzilla to LDAP over the XMas holidays, I *was* enforcing stronger passwords. Nothing (IMO) overly complex -- min. 8 characters, 1 uppercase, one number, 1 non-alpha. Wow, did that ever upset a bunch of people. Here's an example: http://bewarethepenguin.blogspot.com/2011/12/silly-password-requirements.html The requirements have since been relaxes. People do have the option of entering long passwords... Not many do. Closing WONTFIX. I tried, it failed. FWIW this request was less about bugzilla, but more about additional services (i.e. committer-only-services) linked to the same account. Stuff like the Portal for instance. Since LDAP is used now, the request would be that committer passwords must satisfy certain criteria (I don't care about bugzilla-only users). The criteria that you mentioned seem reasonable ... stronger than most sites require, but still reasonable and pretty widely used. What's key IMO is that the password requirements are very clearly announced AT THE POINT where I need to choose or modify a password. Which in case of committer passwords would be the committertools / password change form, I guess. If a committer really argues about your criteria being too strong for committer access, I'd like to talk to him. Having our source repos compromised by unauthenticated access is a threat that I don't want to risk. Understood and agreed. Let's reopen this and apply different reset rules. We have the technology to differentiate between user and committer. Thanks Denis. Perhaps the bugzilla change password form should say "You're an Eclipse committer, and bugzilla uses your committer password. Please use <a href="http://portal.eclipse.org">the portal</a> to change your committer password. I think I'm somewhere in between on this. It seems after three attempts you are locked out for some period, so an intruder does not get many chances to guess anyway. I would be in favour of some minimum standard but nothing too complex. IBM tends to be pretty strict about this stuff and on none of the systems here do I have a rule like one upper, one number, AND one symbol. This just feels like a recipe for easily forgetting your password ;) I think something like a minimum of eight characters and at least two non alpha characters is enough (numbers OR symbols). Not allowing a dictionary word would be another great check. Just my $0.02. Some tools (eg Keepass Password Safe) compute password strength on the fly and show it in a gauge that changes from red to green as you type and make your password more complex. I think I've once seen this on an online site as well, but can't remember where. I like the visual feedback about strength .. might be more acceptable than some fixed rules. Eg some people like long ASCII only passphrases while others prefer shorter ones but with many non-alpha variations. Perhaps there's a pre-canned password strength checker available as a Javascript component somewhere ? It looks like new restrictions have been introduced recently. See bug 372846. We've fixed this on accounts.eclipse.org |