FxA and security stuff

Edwin Wong edwong at mozilla.com
Thu Nov 21 09:34:28 PST 2013

I know we will rate limit number password attempts for FxA— but looks like the bad guys have work arounds for this in the github attack:

While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses.

On Nov 21, 2013, at 9:04 AM, Peter deHaan <pdehaan at mozilla.com> wrote:

> For those of you not blessed to be sitting in the vicinity of jrgm and myself...
> GitHub weak passwords brute forced: [1]
> "This is a great opportunity for you to review your account, ensure that you have a strong password and enable two-factor authentication."
> Other fascinating topics of conversation recently have revolved around the big password leaks at Adobe (now available as a crossword puzzle; [2]), which nicely ties in to "Facebook requires some users to change password after Adobe hack" [3][4]
> A couple open-ish questions for the larger team are:
> - Should FxA enforce that passwords are not "weak" and not in the top X commonly used passwords? [5] Note that we're not just telling people that their password is weak or strong, but specifically rejecting their attempts to use a password of "password" or "123456" or "letmein", or "121212". Amazingly *24* of the top 100 most common passwords [5] are strictly numeric!
> - Is there a way for us to recognize possibly compromised common passwords and force users to change them, similar to what Facebook did?
> - Should/can we support two-factor authentication (a la Dropbox, Twitter, Evernote, GitHub, Gmail, etc)?
> - Not a question really, but jrgm is in huge support of lloyd's "lockdown" module for enforcing dependencies [6]. I can file bugs in the various fxa-* repos to eventually lock down the dependencies before v1 release if we're not already using it.
> -peter
> [1] https://github.com/blog/1698-weak-passwords-brute-forced
> [2] http://zed0.co.uk/crossword/
> [3] http://www.theverge.com/2013/11/12/5095560/facebook-requires-users-to-change-password-after-adobe-hack
> [4] http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
> [5] http://stricture-group.com/files/adobe-top100.txt
> ----- Forwarded Message -----
> From: "Edwin Wong" <edwong at mozilla.com>
> To: "Peter deHaan" <pdehaan at mozilla.com>
> Cc: services-qa-staff at mozilla.com
> Sent: Wednesday, November 20, 2013 9:42:14 PM
> Subject: Re: FxA and security stuff
> i'd push this email to dev-fxacct list
> we need to plan for 2 factor auth and blacklisting top passwds asap.
> yes, we need lockdown
> -e
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct

More information about the Dev-fxacct mailing list