Re: Passwords

Yea, people shouldn't consider an email informing them of a more secure
password storage system being put in place and that they would need to
update it as spam. It they do then that is pretty stingy. It is a
completely valid security issue that they should be aware of.

The confusion can be mitigated with doing what Jen mentioned. So an email
to everyone explaining the upgraded encryption mechanism and the advantages
the new SSO system provides. In that, state clearly that passwords should
be reset manually (if we can with a link to the reset with an expire time
of like a week.)

Another thing is, the SSO login should be done over HTTPS from the start.
Especially with resets considering we have been HTTP only since launch. If
this is done (which it really should, some devs haven't signed up for an
account simply because HTTPS isn't in use) then it would make another good
point to hit in an announcement email and blog post.

-Garbee


On Fri, Apr 25, 2014 at 8:07 PM, Jen Simmons <jen@jensimmons.com> wrote:

> I think if we simply ask all users to reset their password as part of a
> big announcement of single-sign-on — that'll be fine. Could actually be
> very good, since it'll bring to mind for everyone that now they have *one*
> password for all WPD stuff. Anyone who currently has multiple logins &
> passwords — which might not match — those people could easily be confused
> after SSO is deployed if there is no reset required. Heartbleed will make
> this less painful. Everyone's used to getting password resets for security
> reasons right now. I think we shouldn't just make it seem like a security
> thing, however. We should use it as a Big Announcement.
>
> The password reset will happen *after* the rollout? Only once? I think
> that would be ideal.
>
> It would be great if we could get metrics on this as it happens. How many
> users do reset vs how many don't?? If we can.
>
> Jen
>
> Jen Simmons
> designer, consultant and speaker
> host of The Web Ahead
> jensimmons.com
> 5by5.tv/webahead
> twitter: jensimmons <http://twitter.com/jensimmons>
>
>
>
> On Fri, Apr 25, 2014 at 7:57 PM, Doug Schepers <schepers@w3.org> wrote:
>
>> Hi, folks–
>>
>> Renoir is in the middle of setting up a new accounts system to enable
>> Single Sign-On (SSO) across the different applications for WebPlatform
>> (starting with the wiki and the annotation system, then later the blog and
>> the issue tracker). This new system should also be somewhat more secure and
>> easier to manage. We will likely deploy the new system in May.
>>
>> One of the decisions we have to make is how to handle the passwords of
>> existing accounts; the question is whether we attempt to import and manage
>> the passwords automatically (there are some technical challenges there,
>> because passwords are stored encrypted), or if we can simply ask users to
>> reset their passwords.
>>
>> Pros:
>> 1) it's less work for Renoir, giving him more time to solve other problems
>> 2) in the wake of the Heartbleed bug, it's good practice for people to
>> reset their password
>> 3) it will give us a chance to remind and reconnect people to the project
>> (by emailing them to ask them to reset their password)
>> 4) it's a relatively small and easy thing to ask people to do
>> 5) it gives us the opportunity to weed out some spambots
>> 6) (anything else??)
>>
>> Cons:
>> 1) it is more inconvenient for our users
>> 2) some people may be confused by the change
>> 3) some people might be annoyed by us "spamming" them with an update
>> request
>> 4) anything else??
>>
>> As you can see, currently I favor asking our users to change their
>> passwords. I had a hard time coming up with cons, which is why I'm asking
>> y'all in the community, to make sure I'm not missing anything.
>>
>> Thoughts?
>>
>> Thanks-
>> -Doug
>>
>>
>