Re: Passwords

On the subject of HTTPS, I submitted a pull request that changes hRef
values to be protocol agnostic (// instead of http://) for the skin. There
are probably more places that should be converted, but it is a start.
However, without a proper certificate, no one will use the HTTPS version,
which is currently certified for * and thus generates a
certificate error and a warning interstitial.

We should not only (really) support HTTPS, but also require it. Especially
when logged in.


On Sat, Apr 26, 2014 at 12:07 PM, Jonathan Garbee <
> wrote:

> Yea, people shouldn't consider an email informing them of a more secure
> password storage system being put in place and that they would need to
> update it as spam. It they do then that is pretty stingy. It is a
> completely valid security issue that they should be aware of.
> The confusion can be mitigated with doing what Jen mentioned. So an email
> to everyone explaining the upgraded encryption mechanism and the advantages
> the new SSO system provides. In that, state clearly that passwords should
> be reset manually (if we can with a link to the reset with an expire time
> of like a week.)
> Another thing is, the SSO login should be done over HTTPS from the start.
> Especially with resets considering we have been HTTP only since launch. If
> this is done (which it really should, some devs haven't signed up for an
> account simply because HTTPS isn't in use) then it would make another good
> point to hit in an announcement email and blog post.
> -Garbee
> On Fri, Apr 25, 2014 at 8:07 PM, Jen Simmons <> wrote:
>> I think if we simply ask all users to reset their password as part of a
>> big announcement of single-sign-on — that'll be fine. Could actually be
>> very good, since it'll bring to mind for everyone that now they have *one*
>> password for all WPD stuff. Anyone who currently has multiple logins &
>> passwords — which might not match — those people could easily be confused
>> after SSO is deployed if there is no reset required. Heartbleed will make
>> this less painful. Everyone's used to getting password resets for security
>> reasons right now. I think we shouldn't just make it seem like a security
>> thing, however. We should use it as a Big Announcement.
>> The password reset will happen *after* the rollout? Only once? I think
>> that would be ideal.
>> It would be great if we could get metrics on this as it happens. How many
>> users do reset vs how many don't?? If we can.
>> Jen
>> Jen Simmons
>> designer, consultant and speaker
>> host of The Web Ahead
>> twitter: jensimmons <>
>> On Fri, Apr 25, 2014 at 7:57 PM, Doug Schepers <> wrote:
>>> Hi, folks–
>>> Renoir is in the middle of setting up a new accounts system to enable
>>> Single Sign-On (SSO) across the different applications for WebPlatform
>>> (starting with the wiki and the annotation system, then later the blog and
>>> the issue tracker). This new system should also be somewhat more secure and
>>> easier to manage. We will likely deploy the new system in May.
>>> One of the decisions we have to make is how to handle the passwords of
>>> existing accounts; the question is whether we attempt to import and manage
>>> the passwords automatically (there are some technical challenges there,
>>> because passwords are stored encrypted), or if we can simply ask users to
>>> reset their passwords.
>>> Pros:
>>> 1) it's less work for Renoir, giving him more time to solve other
>>> problems
>>> 2) in the wake of the Heartbleed bug, it's good practice for people to
>>> reset their password
>>> 3) it will give us a chance to remind and reconnect people to the
>>> project (by emailing them to ask them to reset their password)
>>> 4) it's a relatively small and easy thing to ask people to do
>>> 5) it gives us the opportunity to weed out some spambots
>>> 6) (anything else??)
>>> Cons:
>>> 1) it is more inconvenient for our users
>>> 2) some people may be confused by the change
>>> 3) some people might be annoyed by us "spamming" them with an update
>>> request
>>> 4) anything else??
>>> As you can see, currently I favor asking our users to change their
>>> passwords. I had a hard time coming up with cons, which is why I'm asking
>>> y'all in the community, to make sure I'm not missing anything.
>>> Thoughts?
>>> Thanks-
>>> -Doug

Received on Saturday, 26 April 2014 10:06:41 UTC