Re: Passwords

I think if we simply ask all users to reset their password as part of a big
announcement of single-sign-on — that'll be fine. Could actually be very
good, since it'll bring to mind for everyone that now they have *one*
password for all WPD stuff. Anyone who currently has multiple logins &
passwords — which might not match — those people could easily be confused
after SSO is deployed if there is no reset required. Heartbleed will make
this less painful. Everyone's used to getting password resets for security
reasons right now. I think we shouldn't just make it seem like a security
thing, however. We should use it as a Big Announcement.

The password reset will happen *after* the rollout? Only once? I think that
would be ideal.

It would be great if we could get metrics on this as it happens. How many
users do reset vs how many don't?? If we can.

Jen

Jen Simmons
designer, consultant and speaker
host of The Web Ahead
jensimmons.com
5by5.tv/webahead
twitter: jensimmons <http://twitter.com/jensimmons>



On Fri, Apr 25, 2014 at 7:57 PM, Doug Schepers <schepers@w3.org> wrote:

> Hi, folks–
>
> Renoir is in the middle of setting up a new accounts system to enable
> Single Sign-On (SSO) across the different applications for WebPlatform
> (starting with the wiki and the annotation system, then later the blog and
> the issue tracker). This new system should also be somewhat more secure and
> easier to manage. We will likely deploy the new system in May.
>
> One of the decisions we have to make is how to handle the passwords of
> existing accounts; the question is whether we attempt to import and manage
> the passwords automatically (there are some technical challenges there,
> because passwords are stored encrypted), or if we can simply ask users to
> reset their passwords.
>
> Pros:
> 1) it's less work for Renoir, giving him more time to solve other problems
> 2) in the wake of the Heartbleed bug, it's good practice for people to
> reset their password
> 3) it will give us a chance to remind and reconnect people to the project
> (by emailing them to ask them to reset their password)
> 4) it's a relatively small and easy thing to ask people to do
> 5) it gives us the opportunity to weed out some spambots
> 6) (anything else??)
>
> Cons:
> 1) it is more inconvenient for our users
> 2) some people may be confused by the change
> 3) some people might be annoyed by us "spamming" them with an update
> request
> 4) anything else??
>
> As you can see, currently I favor asking our users to change their
> passwords. I had a hard time coming up with cons, which is why I'm asking
> y'all in the community, to make sure I'm not missing anything.
>
> Thoughts?
>
> Thanks-
> -Doug
>
>

Received on Saturday, 26 April 2014 00:08:02 UTC