Skip to content

Notify gem maintainers that didn't change the password for a while #1944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mdesantis opened this issue Apr 4, 2019 · 7 comments
Closed

Notify gem maintainers that didn't change the password for a while #1944

mdesantis opened this issue Apr 4, 2019 · 7 comments

Comments

@mdesantis
Copy link

Follow up of #1941. What about sending an email to every RubyGems user that didn't change the password for a while and didn't set up 2FA? I just changed my password and enabled 2FA (even if I don't have any important gem published), but I guess many gem maintainers could be in the same situation, maybe a remainder could help
@mdesantis
Copy link
Author

I'm thinking something about:

Hi RubyGems.org user,

a recent vulnerability inside bootstrap-sass gem reminded us how important nowadays is choosing a strong password and enabling 2FA. We felt this is a good occasion to remind you about that: you can change your password here and enable 2FA here.

Yours sincerely,

RubyGems.org

@mdesantis
Copy link
Author

In the long term, a reminder email could be sent to every user that didn't change his password for something like two years (I don't know) and didn't enable 2FA.

@glebm
Copy link

glebm commented Apr 4, 2019
edited
Loading

Perhaps changing the password regularly is not necessary, as long as you have a strong password.

I didn't have a particularly strong password because I created my account about a decade ago, when no password policies were in place and 2FA wasn't an option.

Perhaps it would make sense to email people in a similar situation -- who had created their account before 2FA was introduced?

@olivierlacan
Copy link
Contributor

Strong passwords don't matter when they've been reused and are tested by attackers during credential stuffing attacks. Multi-factor authentication is the only way we can prevent maintainer passwords being vulnerabilities over time.

Anyone who uses gem push should eventually have to enable MFA on RubyGems.org, especially if their gems are popular or depended upon by other gems (reverse dependencies).

@indirect
Copy link
Member

@olivierlacan I think maybe you missed the other discussion about passwords, which is that we can easily prevent any password on RubyGems.org from being one that has ever been dumped, via the haveibeenpwned API.

That said, we are working on some sort of feature that would allow a specific gem to require 2FA for pushes. It's not realistic to force 2FA at push time for all pushes, because there are tons of automated systems out there pushing new versions of gems.

@simi
Copy link
Member

simi commented Oct 31, 2023
edited
Loading

In recent years a lot of improvements were added, scoped API keys, pass scanning using haveibeenpwned, WebAuthn, enforced 2FA for top gems, ... Also there is currently effort to move to OIDC based attested gem pushes. Considering all this, is this feature still needed? 🤔

@simi simi closed this as completed Oct 31, 2023
@simi simi reopened this Oct 31, 2023
@mdesantis
Copy link
Author

Let's close it, if it's still going to be relevant we'll open it again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@indirect @olivierlacan @simi @glebm @mdesantis