Rubygems.org: Notify gem maintainers that didn't change the password for a while

I'm thinking something about:

Hi RubyGems.org user,

a recent vulnerability inside bootstrap-sass gem reminded us how important nowadays is choosing a strong password and enabling 2FA. We felt this is a good occasion to remind you about that: you can change your password here and enable 2FA here.

Yours sincerely,

RubyGems.org

In the long term, a reminder email could be sent to every user that didn't change his password for something like two years (I don't know) and didn't enable 2FA.

Perhaps changing the password regularly is not necessary, as long as you have a strong password.

I didn't have a particularly strong password because I created my account about a decade ago, when no password policies were in place and 2FA wasn't an option.

Perhaps it would make sense to email people in a similar situation -- who had created their account before 2FA was introduced?

Strong passwords don't matter when they've been reused and are tested by attackers during credential stuffing attacks. Multi-factor authentication is the only way we can prevent maintainer passwords being vulnerabilities over time.

Anyone who uses gem push should eventually have to enable MFA on RubyGems.org, especially if their gems are popular or depended upon by other gems (reverse dependencies).

@olivierlacan I think maybe you missed the other discussion about passwords, which is that we can easily prevent any password on RubyGems.org from being one that has ever been dumped, via the haveibeenpwned API.

That said, we are working on some sort of feature that would allow a specific gem to require 2FA for pushes. It's not realistic to force 2FA at push time for all pushes, because there are tons of automated systems out there pushing new versions of gems.