Refill ESI after every PW change .. seriously?

[Valkorsia]

Request

OK, as a CEO, I have better things to do than chase around 278 people who have changed passwords on their Eve accounts .. It requires them to re-add ESI keys (every time they change pw's) .... or, in the TEST Alliance Please Ignore IT structure, they lose services (Mumble, Discord, Jabber, forums) if they change an account pw .. and don't change (refill out) the ESI key, too .. its totally retarded ... XML keys never required this ... please, for the love of God, change this ..

o/

Valk CEO/SPVG http://evemaps.dotlan.net/corp/Spartan_Vanguard

[Aidansavage]

To reiterate what was mentioned before:

Additionally, XML/CREST not doing that is precisely why ESI does. Not to mention it's a lot less obvious where to remove ESI authorizations, especially since some people are less than descriptive in naming the applications in question (who the heck names it "TS Identity Manager v2"?). And no easier way to remove authorizations in bulk.

That being said, for bulk removal of ESI authorizations, there are precisely 2 methods, one of which is changing your password. I'm almost certain there are very few people who know the other.

Something else that was mentioned in Tweetfleet is that sometimes the SSO architecture itself returns error codes that you may be perceiving as invalid tokens. It may be worth rewriting your code to only drop tokens when the error specifically states the tokens are invalid. While at it, it wouldnt hurt to add in the mail system mentioned on the other one.

And dont forget, delegating tasks to the slightly better peons can expedite processes \o/

[ErikKalkoken]

I was wondering why some tokens expiry occasionally and suspected that it might have to do with password change. Now that seams confirmed by this post.

I concur that is it very inconvenient for larger alliances that rely heavily on token authentication to organize re-creation of tokens by their users for every time they change their account password.

Also, from a security perspective I can not really see why this is necessary. As long as the char is not transferred or the token explicitly revoked it should stay valid.

So I support this request to keep tokens valid despite password changes of the account.

[cvweiss]

security > convenience

[Aidansavage]

It may be inconvenient for large alliances, but that inconvenience is pretty insignificant when compared to the desire of users themselves to have a method to bulk-revoke tokens. As a user of multiple tools for EVE, I'm not going to spend 20 minutes going through every single authorization I made on my accounts just to make sure I dont "accidentally" remove the wrong one. I dont care. I'll reauth as necessary after spending 2 minutes changing my password.

[antihax]

It is simple to have your system send an evemail to a user when their token becomes invalid so you do not have to manually check and follow up on each one.

[Kyria]

if it's not the case, what could be interesting (user speaking) is to have a notice when changing password that tell the user that it will revoke all ESI tokens, so he will have to relog in all third party system. So at least, if someone does this he knows that he'll have to deal with his alliance auth.

Also, it's not because XML/CREST didn't do something that it was the "right and secure" way to do it. That the good point with ESI now. :)

[ErikKalkoken]

@Aidansavage Actually, its the other way around. by automatically revoking all tokens after changing the account password one has to spend a lot of time an effort to re-authenticate all those applications. And since most users do not even know about this "feature" they will be very surprised when their 3rd party apps stop working for them. This is not a user friendly design. If the user should have a way to revoke all tokens, then their should be button for this function on the 3rd party applications page. @cvweiss Please explain to me how this features actually improves security? I would argue it has the opposite effect, because users will tend to change their password less often to avoid all the extra effort in having to re-authenticate all 3rd party apps. @antihax Sure and we already have a notification system for revoked tokens. Its still a nuisances and I fail to see why this is necessary in the first place. @Kyria Agreed that would be beneficial.

[Aidansavage]

Lets put it this way: the only people crying over this change are "IT maintainers" for large groups.

If the user should have a way to revoke all tokens, then their should be button for this function on the 3rd party applications page.

Feel free to open an issue with that feature request.

For the most part, this "issue" is pretty much only a complaint, rather than a bug report, feature request, or anything else that would be useful, and could be closed in favor of actual feature requests.

[ErikKalkoken]

@Aidansavage Well, I think the actual reason why only "IT maintainers for large groups" are "crying over this change" and not many users, is that common users are probably not aware that this forum exists. So trying to judge from the number of responses on this forum is flawed. Again, the request is to disable the automatic reset of all tokens when you change your account password.

[CarbonAlabel]

You can already revoke all tokens, using the Revoke access tokens on all devices button at https://secure.eveonline.com/LoginHistory.aspx.

If anything, the fact that IT maintainers for large groups are the ones crying about it only makes this issue more significant; those people are voicing the issues being experienced by hundreds or thousands of their line members. I'd be surprised if the CSM hasn't already grilled CCP about this issue.

[fuzzysteve]

For reference, it's actually disrecommended to force password changes regularly.

Mostly because when you do, people use a variation of the same password. Also, it doesn't help when most times when a password is exposed, it's used very quickly thereafter.

What's recommended is: Use long random passwords. (or use a pass phrase. Not quite as secure, but a hell of a lot easier to remember. Ideally, use a passphrase to secure your password manager) Use a password manager. (sure, if your password manager is compromised, you're fucked. But the likelyhood of a standalone manager being compromised is tiny. If it is, your machine is likely compromised, and anything you do is compromised.) Use two factor authentication. (yay, passwords which change every 30 seconds ;) )