Closed Bug 638181 Opened 13 years ago Closed 13 years ago

Purge user password hashes if an account has not been used in over an year

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect, P3)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: clyon, Assigned: fligtar)

References

(Blocks 1 open bug)

Details

Purge user password hashes if an account has not been used in over an year.
Is this only for users who have never done anything on the site, or everyone including add-on authors?  

If we're going to start doing stuff like this, we should have clear messaging.  In the past it has been more of an emergency and we just let people figure out how to reset on their own.
(In reply to comment #1)
> Is this only for users who have never done anything on the site, or everyone
> including add-on authors?  

I would say for everybody. If somebody hasn't used addons.mozilla.org for a year, we should expire their hash. 

> If we're going to start doing stuff like this, we should have clear messaging. 
> In the past it has been more of an emergency and we just let people figure out
> how to reset on their own.

The workflow for doing a password reset because the users hash was deleted should be refined. (I think this is your point)

So some message saying your password has expired and that they will need to do an email reset.
what is the eta for this?
(In reply to comment #3)
> what is the eta for this?

Q3/4;  Same as all the other new bugs.
I think we should discuss user-facing portions of these security enhancements. I'm fine with things like this for add-on developers, but AMO is a consumer site and this is a really crappy experience that seems unnecessary for the majority of users.
(In reply to comment #5)
> I think we should discuss user-facing portions of these security
> enhancements. I'm fine with things like this for add-on developers, but AMO
> is a consumer site and this is a really crappy experience that seems
> unnecessary for the majority of users.

If there are concerns, we are more than happy to meet with you to address.
Assignee: nobody → amckay
Assignee: amckay → fligtar
Whiteboard: [ddn]
I don't see why we need to do this and don't know of any other reputable websites that have a policy like this. The only types of users I think this would be useful for are admins and editors, but we audit those users for inactivity more frequently than once a year already.

If there are strong reasons the millions of normal users who just create collections and write reviews should have this level of security, we should discuss it.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Whiteboard: [ddn]
(In reply to comment #7)
> I don't see why we need to do this and don't know of any other reputable
> websites that have a policy like this. The only types of users I think this
> would be useful for are admins and editors, but we audit those users for
> inactivity more frequently than once a year already.
> 
> If there are strong reasons the millions of normal users who just create
> collections and write reviews should have this level of security, we should
> discuss it.

The motivation for this request is for the following reasons:

1. Accounts that have not been used in >12 months are most likely abandoned or no longer used.
2. Most users reuse passwords across many sites. The AMO password could very well be the single password they use everywhere with the associated email address.

By deleting the hash we are minimizing the impact in the event there is a security incident involving the AMO database. In the event of a future database incident/compromise we are then able to say that the thousands* of accounts that are no longer in use were not disclosed.

(*Can we quantify this number e.g. the number of accounts that haven't been used in the past 12 months vs the total number of accounts?)

Overall this change is another level of protection for our users.  Since we've established we don't need their password hash, we can delete it and minimize the possibility that it could ever be exposed.

Thoughts?
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.