Ask Your Question
1

Why is a user hassled so much while registering a new fedora account?

asked 2014-01-03 16:29:14 -0500

terminalid gravatar image

updated 2014-09-28 16:01:09 -0500

mether gravatar image

I just created a new fedora account and was disappointed with how it went. Especially considering how this is a non-profit community site for people with above average computer skills.

  1. Why do I have to enter a real name? This is a open source project where a value of a member is determined by his skills. I don't see how a real name helps anyone but the NSA. Especially considering that you have no way of verifying my name. In the end you have a bunch of fake names that are worthless. This should be an optional field.
  2. I hate entering a security question. It's a thing for morons who can't enter their email correctly or remember a password. Because this is a site for computer professionals it feels very much out of place and is something I would expect on a dating site.
  3. But the worst thing that made me write this posting is the moronic (I am sorry but that's what it is) password length requirement.

    password: Passwords must meet certain strength requirements. If they have a mix of symbols, upper and lowercase letters, and digits they must be at least 9 characters. If they have a mix of upper and lowercase letters and digits they must be at least 10 characters. If they have lowercase letters and digits, they must be at least 12 characters. Letters alone need to have at least 3 different characters and be 20 or more characters in length.

    The only conclusion I can come to is that the people who set up this have no mathematical and computer security knowledge at all. Why do you need that much entropy? Have you even done the math once? 20 lowercase characters make up 26^20 possible combinations. Bruteforcing this hash with unreal one trillion combinations per seconds would take about 631 million years. Take away some mathematical weaknesses and mistakes I made and you still have much more than you would ever need. And EVEN if someone would be able to crack this with his secret quantum computer in his basement he would get a password that ppl only use for this service. Because even if I use one password for all services, it is never that long. This becomes a gazillion times more absurd if you consider that password of web services are bruteforced over the internet (max. 1000/s) or not at all because you probably have some zero day exploits in your software.

    In the end you are forcing people to write down ridiculously long passwords without improving security one bit. And in my case you leave a bad impression because I now really think that the people who designed the fedora account policies are stupid.

Please have a look at stackexchange on how to do this properly.

edit retag flag offensive close merge delete

Comments

Probably the default settings from the original software. This might be improved in time. Or not. In any event, that's how it works, and as a n00b here myself, perhaps you might direct this question to FranciscoD_ who has Maximum Karma and probably knows the board's Imperial Grand Kingfish.

K7AAY gravatar imageK7AAY ( 2014-01-03 18:55:56 -0500 )edit

What site are you referring to? FAS or Ask Fedora? I'd like to point out, though, that developers of authentication systems have indeed done their research. I haven't done mine, but seeing how a majority of websites require combinations of lower case alphabets, upper case alphabets, numbers AND symbols, I'm sure there are security threats out there that have not been covered in your math class :)

FranciscoD_ gravatar imageFranciscoD_ ( 2014-01-04 02:12:06 -0500 )edit

If this is an Ask Fedora related question, it needs to be retagged as "meta". It's a deployment of askbot which probably uses a python/django library for authentication. You should look up its developers and hold a discussion. We're not going to patch our instance to remove their work, since we do actually trust their judgement.

FranciscoD_ gravatar imageFranciscoD_ ( 2014-01-04 02:13:33 -0500 )edit

I am referring to FAS-OpenID. I am assuming that askbot offers options to set length and requirements of a password, this is why I posted it here. Also, because this is the primary authentication system of this site. I doubt the majority of "professional "sites require such long passwords. Probably people use authentication libraries in their web projects without understanding how they work.

terminalid gravatar imageterminalid ( 2014-01-04 08:28:01 -0500 )edit

@terminalid - you say you're referring to FAS-OpenID, which allows us to log in to AskBot with our FAS accounts, but then you talk about AskBot behavior. FAS is the account system for all Fedora infrascructure. Besides being an open community, with most openly using their real names to collaborate with other real people, the restrictions you mention are the _bare minimum_ for access to the resources that accept credentials. Posting here won't change the policy.

randomuser gravatar imagerandomuser ( 2014-01-04 12:26:01 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
2

answered 2014-01-03 17:51:44 -0500

sergiomb gravatar image

updated 2014-01-04 20:15:07 -0500

fas accounts ? if yes with fas account you could interact with fedora project , became a contributor, a packager etc , you can give karma on updates etc , so so fas account need to be secure . So to be a packager of Fedora, it is obvious that Fedora needs your real name. Since this account you can gain access to commit to all packages if you are a proven packager, for security reason , this accounts must have strong passwords, about 2 years ago Fedora decides that needs improves security after kernel.org had been attack . about security question , may be is a little boring , but is not a big deal to make one, you may put random characters

edit flag offensive delete link more

Comments

Please elaborate how the length of your passwords prevents "you" (who exactly?) from being attacked? (What attack? DDOS?, Bruteforce?)

terminalid gravatar imageterminalid ( 2014-01-04 08:30:10 -0500 )edit

You only added what the account is used for not how a very long password that I was criticizing improves security of a normal one. Also you didn't say anything about security question and real name. Maybe you should rethink your answer.

terminalid gravatar imageterminalid ( 2014-01-04 12:53:41 -0500 )edit
0

answered 2014-05-02 09:22:56 -0500

Doesnt directly or fully answer your question, but does include information about the privacy of your peronal information, http://fedoraproject.org/wiki/Legal/PrivacyPolicy

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-01-03 16:29:14 -0500

Seen: 616 times

Last updated: May 02 '14