Passwords

Hi, folks–

Renoir is in the middle of setting up a new accounts system to enable 
Single Sign-On (SSO) across the different applications for WebPlatform 
(starting with the wiki and the annotation system, then later the blog 
and the issue tracker). This new system should also be somewhat more 
secure and easier to manage. We will likely deploy the new system in May.

One of the decisions we have to make is how to handle the passwords of 
existing accounts; the question is whether we attempt to import and 
manage the passwords automatically (there are some technical challenges 
there, because passwords are stored encrypted), or if we can simply ask 
users to reset their passwords.

Pros:
1) it's less work for Renoir, giving him more time to solve other problems
2) in the wake of the Heartbleed bug, it's good practice for people to 
reset their password
3) it will give us a chance to remind and reconnect people to the 
project (by emailing them to ask them to reset their password)
4) it's a relatively small and easy thing to ask people to do
5) it gives us the opportunity to weed out some spambots
6) (anything else??)

Cons:
1) it is more inconvenient for our users
2) some people may be confused by the change
3) some people might be annoyed by us "spamming" them with an update request
4) anything else??

As you can see, currently I favor asking our users to change their 
passwords. I had a hard time coming up with cons, which is why I'm 
asking y'all in the community, to make sure I'm not missing anything.

Thoughts?

Thanks-
-Doug

Received on Friday, 25 April 2014 23:57:48 UTC