You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2022/09/14 16:00:53 UTC
Re: [jira] [Updated] (OFBIZ-11244) Remove the user login security question
Hi,
FYI: Following below Infra advice on Slack I had to change the https://www.schneier.com/essays/... URL:
Humbedooh17:53 <https://the-asf.slack.com/archives/CBX4TSBQ8/p1663170822890599>
<< @Jacques Le Roux you triggered the aardvark spam filter with the URL in your ticket. I will suggest using s.apache.org to shorten it for now, and
avoid triggering the spam detection.
we get hit by a lot of spammers trying to sell essay writing and what not, so it's a thing that triggers the spam filter>>
Else you get very troubling messages like
<<Your request has been blocked. If you feel this is in error, please let us know at: abuse@infra.apache.org. Be sure to include your IP address so we
know what to look for.>>
<<The Jira server could not be contacted. This may be a temporary glitch or the server may be down.>>
HTH
Jacques
Jacques Le Roux updated OFBIZ-11244:
------------------------------------
Description:
After our discussion in dev ML athttps://markmail.org/message/2dhc4al4adwgvl7z we will remove this feature. This [~paulfoxworthy]'s remark is notably important:
bq. Security is only as good as its weakest link (https://s.apache.org/xp8da) , and security questions can be a real weakness. Any organisation using OFBiz that really hates passwords could look at security keys from Yubico or the like.
was:
After our discussion in dev ML athttps://markmail.org/message/2dhc4al4adwgvl7z we will remove this feature. This [~paulfoxworthy]'s remark is notably important:
bq. Security is only as good as its weakest link (https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html) , and security questions can be a real weakness. Any organisation using OFBiz that really hates passwords could look at security keys from Yubico or the like.
>> Remove the user login security question
>> ---------------------------------------
>>
>> Key: OFBIZ-11244
>> URL:https://issues.apache.org/jira/browse/OFBIZ-11244
>> Project: OFBiz
>> Issue Type: Improvement
>> Components: ecommerce, framework, party
>> Affects Versions: Trunk
>> Reporter: Jacques Le Roux
>> Assignee: Michael Brohl
>> Priority: Major
>> Attachments: OFBIZ-11244-framework-correction.patch, OFBIZ-11244-framework.patch, OFBIZ-11244-plugins.patch
>>
>>
>> After our discussion in dev ML athttps://markmail.org/message/2dhc4al4adwgvl7z we will remove this feature. This [~paulfoxworthy]'s remark is notably important:
>> bq. Security is only as good as its weakest link (https://s.apache.org/xp8da) , and security questions can be a real weakness. Any organisation using OFBiz that really hates passwords could look at security keys from Yubico or the like.
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.10#820010)