- From: Jen Simmons <jen@jensimmons.com>
- Date: Fri, 25 Apr 2014 20:07:29 -0400
- To: Doug Schepers <schepers@w3.org>
- Cc: WebPlatform Community <public-webplatform@w3.org>
- Message-ID: <CAB0bRKP-Pe2MV9jM269xVAO6MX1jkajNK+sMhnLrdJv+qoSppA@mail.gmail.com>
I think if we simply ask all users to reset their password as part of a big announcement of single-sign-on — that'll be fine. Could actually be very good, since it'll bring to mind for everyone that now they have *one* password for all WPD stuff. Anyone who currently has multiple logins & passwords — which might not match — those people could easily be confused after SSO is deployed if there is no reset required. Heartbleed will make this less painful. Everyone's used to getting password resets for security reasons right now. I think we shouldn't just make it seem like a security thing, however. We should use it as a Big Announcement. The password reset will happen *after* the rollout? Only once? I think that would be ideal. It would be great if we could get metrics on this as it happens. How many users do reset vs how many don't?? If we can. Jen Jen Simmons designer, consultant and speaker host of The Web Ahead jensimmons.com 5by5.tv/webahead twitter: jensimmons <http://twitter.com/jensimmons> On Fri, Apr 25, 2014 at 7:57 PM, Doug Schepers <schepers@w3.org> wrote: > Hi, folks– > > Renoir is in the middle of setting up a new accounts system to enable > Single Sign-On (SSO) across the different applications for WebPlatform > (starting with the wiki and the annotation system, then later the blog and > the issue tracker). This new system should also be somewhat more secure and > easier to manage. We will likely deploy the new system in May. > > One of the decisions we have to make is how to handle the passwords of > existing accounts; the question is whether we attempt to import and manage > the passwords automatically (there are some technical challenges there, > because passwords are stored encrypted), or if we can simply ask users to > reset their passwords. > > Pros: > 1) it's less work for Renoir, giving him more time to solve other problems > 2) in the wake of the Heartbleed bug, it's good practice for people to > reset their password > 3) it will give us a chance to remind and reconnect people to the project > (by emailing them to ask them to reset their password) > 4) it's a relatively small and easy thing to ask people to do > 5) it gives us the opportunity to weed out some spambots > 6) (anything else??) > > Cons: > 1) it is more inconvenient for our users > 2) some people may be confused by the change > 3) some people might be annoyed by us "spamming" them with an update > request > 4) anything else?? > > As you can see, currently I favor asking our users to change their > passwords. I had a hard time coming up with cons, which is why I'm asking > y'all in the community, to make sure I'm not missing anything. > > Thoughts? > > Thanks- > -Doug > >
Received on Saturday, 26 April 2014 00:08:02 UTC