Kevin Fenzi wrote: > I'd like us to add security query/respond pairs. Those can very easily weaken security, as the answers are often public and easy for an attacker to look up, especially when there are only a few predefined questions to choose from.
If I can enter my own question, then I can come up with some things that only I and my family know. That requires careful and security- conscious consideration. Many people would come up with insecure questions. There's a limited supply of such personal secrets that I can be sure I'll remember, so I can't do that for too many sites. It also requires a not too public life. People who publish their entire lives on Facebook will have trouble coming up with a question that an attacker can't find the answer to. Otherwise I'll make up a nonsensical phrase to enter as the answer, and store it securely. That turns the "security question" into a backup passphrase. If you want people to do this, then it's better to ask them to make up a passphrase. Björn Persson
pgpE8zuWQSxko.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
