Fwd: FxA and security stuff
pdehaan at mozilla.com
Thu Nov 21 09:04:44 PST 2013
For those of you not blessed to be sitting in the vicinity of jrgm and myself...
GitHub weak passwords brute forced: 
"This is a great opportunity for you to review your account, ensure that you have a strong password and enable two-factor authentication."
Other fascinating topics of conversation recently have revolved around the big password leaks at Adobe (now available as a crossword puzzle; ), which nicely ties in to "Facebook requires some users to change password after Adobe hack" 
A couple open-ish questions for the larger team are:
- Should FxA enforce that passwords are not "weak" and not in the top X commonly used passwords?  Note that we're not just telling people that their password is weak or strong, but specifically rejecting their attempts to use a password of "password" or "123456" or "letmein", or "121212". Amazingly *24* of the top 100 most common passwords  are strictly numeric!
- Is there a way for us to recognize possibly compromised common passwords and force users to change them, similar to what Facebook did?
- Should/can we support two-factor authentication (a la Dropbox, Twitter, Evernote, GitHub, Gmail, etc)?
- Not a question really, but jrgm is in huge support of lloyd's "lockdown" module for enforcing dependencies . I can file bugs in the various fxa-* repos to eventually lock down the dependencies before v1 release if we're not already using it.
----- Forwarded Message -----
From: "Edwin Wong" <edwong at mozilla.com>
To: "Peter deHaan" <pdehaan at mozilla.com>
Cc: services-qa-staff at mozilla.com
Sent: Wednesday, November 20, 2013 9:42:14 PM
Subject: Re: FxA and security stuff
i'd push this email to dev-fxacct list
we need to plan for 2 factor auth and blacklisting top passwds asap.
yes, we need lockdown
More information about the Dev-fxacct