Comment 1 for bug 996595
Revision history for this message
| Russell Bryant (russellb) wrote Re: Following a password compromise and subsequent password change, tokens remain valid. | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Thanks for the report, Derek. I went ahead and added the Keystone PTL.
Regarding the security status of this bug, I'm leaning toward treating this as a 'security hardening' issue as opposed to a vulnerability. That basically means that we acknowledge that this issue has important security related implications, but we won't put it under embargo and treat it with the vulnerability process. Instead, we'll work on this in the open like other bugs.
So, the suggestion here is that tokens should be automatically invalidated when a password gets changed?