[openstreetmap/openstreetmap-website] block extremely simple and common passwords like "12345678" on a registration (#2285)
Andy Allan
notifications at github.com
Mon Jul 8 14:39:06 UTC 2019
> Why would someone take over someone else's OSM account? I can delete all your edits with an account I create afresh, why would I want to take over yours?
I've no interest in taking over @matkoniecz user account. But as for yours, @woodpeck - well, moderator privileges make a juicer target! Even more so for an admin account. We can't currently make any account-security checks before handing out elevated privileges, and there's a bunch of stuff which is hard to undo if a moderator or admin account with weak access gets hacked. Even a normal account has who-knows-what in the private messaging system, and "well password complexity is entirely up to the user to worry about" isn't something I want to hear.
So I'm supportive of this suggestion. But I would strongly suggest that it waits until we move our account signup process over to Devise. Implementation would be best then as a devise-compatible extension, or using existing extensions like [https://github.com/devise-security/devise-security](https://github.com/devise-security/devise-security)
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2285#issuecomment-509252946
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20190708/5c4879a4/attachment.html>
More information about the rails-dev
mailing list