Notify gem maintainers that didn't change the password for a while

[mdesantis]

Follow up of #1941. What about sending an email to every RubyGems user that didn't change the password for a while and didn't set up 2FA? I just changed my password and enabled 2FA (even if I don't have any important gem published), but I guess many gem maintainers could be in the same situation, maybe a remainder could help

[mdesantis]

I'm thinking something about:

Hi RubyGems.org user,

a recent vulnerability inside bootstrap-sass gem reminded us how important nowadays is choosing a strong password and enabling 2FA. We felt this is a good occasion to remind you about that: you can change your password here and enable 2FA here.

Yours sincerely,

RubyGems.org

[mdesantis]

In the long term, a reminder email could be sent to every user that didn't change his password for something like two years (I don't know) and didn't enable 2FA.

[glebm]

Perhaps changing the password regularly is not necessary, as long as you have a strong password.

I didn't have a particularly strong password because I created my account about a decade ago, when no password policies were in place and 2FA wasn't an option.

Perhaps it would make sense to email people in a similar situation -- who had created their account before 2FA was introduced?

[olivierlacan]

Strong passwords don't matter when they've been reused and are tested by attackers during credential stuffing attacks. Multi-factor authentication is the only way we can prevent maintainer passwords being vulnerabilities over time.

Anyone who uses gem push should eventually have to enable MFA on RubyGems.org, especially if their gems are popular or depended upon by other gems (reverse dependencies).

[indirect]

@olivierlacan I think maybe you missed the other discussion about passwords, which is that we can easily prevent any password on RubyGems.org from being one that has ever been dumped, via the haveibeenpwned API.

That said, we are working on some sort of feature that would allow a specific gem to require 2FA for pushes. It's not realistic to force 2FA at push time for all pushes, because there are tons of automated systems out there pushing new versions of gems.

[simi]

In recent years a lot of improvements were added, scoped API keys, pass scanning using haveibeenpwned, WebAuthn, enforced 2FA for top gems, ... Also there is currently effort to move to OIDC based attested gem pushes. Considering all this, is this feature still needed? 🤔

[mdesantis]

Let's close it, if it's still going to be relevant we'll open it again