John Plocher wrote: > What are the statistics on the cookie stealing incidents we are > experiencing? > What was their explicit impact? Their potential impact? (i.e., is this a > theoretical or real problem?)
We have no sure way of knowing. And the trick with security is to shut the stable door before the horse has bolted. >> re-supply their passwords when doing any security-critical operations >> such as registering a new SSH key or changing their password > > Yahoo & google force password entry at other points as well - > effectively, if it has been "too long" since you reauth'd, any "change > my info" operation triggers one - where too long is (IIRC) between > several hours and 2 weeks. > > I don't expect most people will be doing activities on the site as often as > you presume (between one and four hours) - while *some* people live on > os.o, > I would guess that the vast majority revisit on a daily or weekly (or > longer) > basis. [this would be a good place for some real data] We do have login information in the current database, but as logins are permanent if you set the 'remember me' flag the data isn't really all that useful. > (I get my os.o email in Thunderbird or via GMail, I do most of my > interactions > with genunix's wiki and hg; I hit up OS.o with my browser only > infrequently, > daily to a couple of times a week. I'd be pretty turned off if I was > forced to > relogin every one of those times.) > > II predict that an inactivity logout of less than a week or so would be > a huge dissatisfier for the majority of casual OS.o users. You'll only have to log in if you want to change anything, which immediately excludes most casual users. >> although this will of course be configurable. > > As long as it can be set to things like "2 weeks", "1 month" or even > "never"... It will most probably be a small number of hours, and certainly not more than a day. -- Alan Burlison -- _______________________________________________ website-discuss mailing list [email protected]
