Fwd: FxA and security stuff

Peter deHaan pdehaan at mozilla.com
Thu Nov 21 09:04:44 PST 2013

For those of you not blessed to be sitting in the vicinity of jrgm and myself...

GitHub weak passwords brute forced: [1]
"This is a great opportunity for you to review your account, ensure that you have a strong password and enable two-factor authentication."

Other fascinating topics of conversation recently have revolved around the big password leaks at Adobe (now available as a crossword puzzle; [2]), which nicely ties in to "Facebook requires some users to change password after Adobe hack" [3][4]

A couple open-ish questions for the larger team are:

- Should FxA enforce that passwords are not "weak" and not in the top X commonly used passwords? [5] Note that we're not just telling people that their password is weak or strong, but specifically rejecting their attempts to use a password of "password" or "123456" or "letmein", or "121212". Amazingly *24* of the top 100 most common passwords [5] are strictly numeric!
- Is there a way for us to recognize possibly compromised common passwords and force users to change them, similar to what Facebook did?
- Should/can we support two-factor authentication (a la Dropbox, Twitter, Evernote, GitHub, Gmail, etc)?
- Not a question really, but jrgm is in huge support of lloyd's "lockdown" module for enforcing dependencies [6]. I can file bugs in the various fxa-* repos to eventually lock down the dependencies before v1 release if we're not already using it.


[1] https://github.com/blog/1698-weak-passwords-brute-forced
[2] http://zed0.co.uk/crossword/
[3] http://www.theverge.com/2013/11/12/5095560/facebook-requires-users-to-change-password-after-adobe-hack
[4] http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
[5] http://stricture-group.com/files/adobe-top100.txt

----- Forwarded Message -----
From: "Edwin Wong" <edwong at mozilla.com>
To: "Peter deHaan" <pdehaan at mozilla.com>
Cc: services-qa-staff at mozilla.com
Sent: Wednesday, November 20, 2013 9:42:14 PM
Subject: Re: FxA and security stuff

i'd push this email to dev-fxacct list

we need to plan for 2 factor auth and blacklisting top passwds asap.

yes, we need lockdown


More information about the Dev-fxacct mailing list