FxA and security stuff

Chris Karlof ckarlof at mozilla.com
Thu Nov 21 10:14:28 PST 2013


Thanks Peter!

It's on our radar:

https://github.com/mozilla/fxa-auth-server/issues/222

I prefer discussion of actionable techniques/ideas to take place there, but feel free to rock on here.

-chris


I'd prefer the discussion to take place in that issue.

On Nov 21, 2013, at 9:04 AM, Peter deHaan <pdehaan at mozilla.com> wrote:

> For those of you not blessed to be sitting in the vicinity of jrgm and myself...
> 
> GitHub weak passwords brute forced: [1]
> "This is a great opportunity for you to review your account, ensure that you have a strong password and enable two-factor authentication."
> 
> 
> Other fascinating topics of conversation recently have revolved around the big password leaks at Adobe (now available as a crossword puzzle; [2]), which nicely ties in to "Facebook requires some users to change password after Adobe hack" [3][4]
> 
> A couple open-ish questions for the larger team are:
> 
> - Should FxA enforce that passwords are not "weak" and not in the top X commonly used passwords? [5] Note that we're not just telling people that their password is weak or strong, but specifically rejecting their attempts to use a password of "password" or "123456" or "letmein", or "121212". Amazingly *24* of the top 100 most common passwords [5] are strictly numeric!
> - Is there a way for us to recognize possibly compromised common passwords and force users to change them, similar to what Facebook did?
> - Should/can we support two-factor authentication (a la Dropbox, Twitter, Evernote, GitHub, Gmail, etc)?
> - Not a question really, but jrgm is in huge support of lloyd's "lockdown" module for enforcing dependencies [6]. I can file bugs in the various fxa-* repos to eventually lock down the dependencies before v1 release if we're not already using it.
> 
> -peter
> 
> [1] https://github.com/blog/1698-weak-passwords-brute-forced
> [2] http://zed0.co.uk/crossword/
> [3] http://www.theverge.com/2013/11/12/5095560/facebook-requires-users-to-change-password-after-adobe-hack
> [4] http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
> [5] http://stricture-group.com/files/adobe-top100.txt
> 
> 
> ----- Forwarded Message -----
> From: "Edwin Wong" <edwong at mozilla.com>
> To: "Peter deHaan" <pdehaan at mozilla.com>
> Cc: services-qa-staff at mozilla.com
> Sent: Wednesday, November 20, 2013 9:42:14 PM
> Subject: Re: FxA and security stuff
> 
> i'd push this email to dev-fxacct list
> 
> we need to plan for 2 factor auth and blacklisting top passwds asap.
> 
> yes, we need lockdown
> 
> 
> -e
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/dev-fxacct/attachments/20131121/318786be/attachment.html>


More information about the Dev-fxacct mailing list