You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2022/09/14 16:00:53 UTC

Re: [jira] [Updated] (OFBIZ-11244) Remove the user login security question

Hi,

FYI: Following below Infra advice on Slack I had to change the https://www.schneier.com/essays/... URL:

Humbedooh17:53 <https://the-asf.slack.com/archives/CBX4TSBQ8/p1663170822890599>
<< @Jacques Le Roux  you triggered the aardvark spam filter with the URL in your ticket. I will suggest using s.apache.org to shorten it for now, and 
avoid triggering the spam detection.
we get hit by a lot of spammers trying to sell essay writing and what not, so it's a thing that triggers the spam filter>>

Else you get very troubling messages like
<<Your request has been blocked. If you feel this is in error, please let us know at: abuse@infra.apache.org. Be sure to include your IP address so we 
know what to look for.>>
<<The Jira server could not be contacted. This may be a temporary glitch or the server may be down.>>

HTH

Jacques

Jacques Le Roux updated OFBIZ-11244:
------------------------------------
     Description:
After our discussion in dev ML athttps://markmail.org/message/2dhc4al4adwgvl7z  we will remove this feature. This [~paulfoxworthy]'s remark is notably important:

bq. Security is only as good as its weakest link (https://s.apache.org/xp8da) , and security questions can be a real weakness. Any organisation using OFBiz that really hates passwords could look at security keys from Yubico or the like.


   was:
After our discussion in dev ML athttps://markmail.org/message/2dhc4al4adwgvl7z  we will remove this feature. This [~paulfoxworthy]'s remark is notably important:

bq. Security is only as good as its weakest link (https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html) , and security questions can be a real weakness. Any organisation using OFBiz that really hates passwords could look at security keys from Yubico or the like.



>> Remove the user login security question
>> ---------------------------------------
>>
>>                  Key: OFBIZ-11244
>>                  URL:https://issues.apache.org/jira/browse/OFBIZ-11244
>>              Project: OFBiz
>>           Issue Type: Improvement
>>           Components: ecommerce, framework, party
>>     Affects Versions: Trunk
>>             Reporter: Jacques Le Roux
>>             Assignee: Michael Brohl
>>             Priority: Major
>>          Attachments: OFBIZ-11244-framework-correction.patch, OFBIZ-11244-framework.patch, OFBIZ-11244-plugins.patch
>>
>>
>> After our discussion in dev ML athttps://markmail.org/message/2dhc4al4adwgvl7z  we will remove this feature. This [~paulfoxworthy]'s remark is notably important:
>> bq. Security is only as good as its weakest link (https://s.apache.org/xp8da) , and security questions can be a real weakness. Any organisation using OFBiz that really hates passwords could look at security keys from Yubico or the like.
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.10#820010)