Improve security of drupal.org accounts for project maintainers

Created on 22 June 2017, about 7 years ago

Updated 4 April 2024, 3 months ago

There are a few things that could be done to improve the security of drupal.org user accounts for people who are project maintainers.

Drupal.org has 1 element already that is good: two-factor-authentication. But what are the threat scenarios and what more could we do?

Threat scenarios:

Easily brute-forced password
Password used on d.o and another site is included in a dump
A maintainer set up their account with a weak password years ago and is no longer active in Drupal
A maintainers good password is compromised (e.g. connection sniffed or password manager breached)

Add some custom code to drupalorg module that nags people to add and use 2-factor-auth if they are a maintainer
Add password strength → and require a "good" level of strength for people who are a maintainer of a project (that last part might require some custom code)
Disable old passwords (e.g. using this paranoia feature → ) for people who are maintainers and have not logged in for a long time
Use login history → module to help maintainers detect if their account has been compromised (the module will send an email if a login occurs on a new device)

Solutions are in order of my sense of the level of effort vs. value.

📌 Task

Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.

Incomplete comments

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 3 months ago →
🇺🇸United States greggles Denver, Colorado, USA
The ideas in the OP still make sense to me, but I guess some of them will need to migrate to other locations.

Especially expiring passwords on accounts that haven't logged in for +4 years makes sense given our site's usage profile.

Production build 0.69.0 2024