<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Remember that, at the end of the day, users of moinmoin are aware that their old passwords are at stake, and they were already suggested to change them everywhere they were reused (thus including PyPI).</div><div><br></div><div>If we go with the intermediate suggestion of asking people to relogin within 2 months (and force-reset afterwards), we can specify this concern in the email we send them. </div><div><br></div><div>Il giorno 11/feb/2013, alle ore 14:59, Jesse Noller <<a href="mailto:jnoller@gmail.com">jnoller@gmail.com</a>> ha scritto:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="auto"><div>I think it's a safe assumption that people using PSF resources such as pypi and the wiki used the same passwords - the bug tracker too. The best approach is a global reset sadly</div><div><br>On Feb 11, 2013, at 8:54 AM, Giovanni Bajo <<a href="mailto:rasky@develer.com">rasky@develer.com</a>> wrote:<br><br></div><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><div><div>Il giorno 11/feb/2013, alle ore 14:38, Donald Stufft <<a href="mailto:donald.stufft@gmail.com">donald.stufft@gmail.com</a>> ha scritto:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div><span style="color: rgb(160, 160, 168); ">On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote:</span></div>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div>Giovanni Bajo wrote:</div><blockquote type="cite"><div>Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller <<a href="mailto:jnoller@gmail.com">jnoller@gmail.com</a>> ha scritto:</div><div><br></div><blockquote type="cite">Actually I was thinking about this in the shower: the likelihood that pypi users used the same passwords as they did on the wiki is probably much higher than any of us assume.</blockquote><div><br></div><div>Given that the passwords were unsalted in both instances, a set intersection is enough to verify.</div></blockquote><div><br></div><div>The moin wiki passwords were salted.</div><div><br></div><div>The reason we reset the passwords, was that the attackers had</div><div>access to both the salt and the hashes.</div><div><br></div></span></blockquote><div>What were they hashed with? Even with a salt a fast hash is trivial to</div><div>bruteforce for a large number of passwords in practically no time</div><div>with trivial hardware. </div><div><br>
</div>
</blockquote></div><div><br></div>Yes, and that's why all passwords were reset.<div><br></div><div>PyPI is even worse (unsalted SHA), but there is no current evidence of compromise. The discussion here is that I suggest to migrate all hashes immediately to bcrypt (by bcrypting the SHA1 hash, and then detecting this at startup), while Christian's proposal is to migrate as users login, so leaving SHA1 hashes in that DB for an unknown number of days/weeks/months.<br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>-- </div><div>Giovanni Bajo :: <a href="mailto:rasky@develer.com">rasky@develer.com</a><br>Develer S.r.l. :: <a href="http://www.develer.com/">http://www.develer.com</a><br><br>My Blog: <a href="http://giovanni.bajo.it/">http://giovanni.bajo.it</a></div><div><br></div></div></span></div></span><br></span></div></div></blockquote><blockquote type="cite"><span>_______________________________________________</span><br><span>Catalog-SIG mailing list</span><br><span><a href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a></span><br><span><a href="http://mail.python.org/mailman/listinfo/catalog-sig">http://mail.python.org/mailman/listinfo/catalog-sig</a></span></blockquote></div></blockquote></div><div><br></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>-- </div><div>Giovanni Bajo :: <a href="mailto:rasky@develer.com">rasky@develer.com</a><br>Develer S.r.l. :: <a href="http://www.develer.com/">http://www.develer.com</a><br><br>My Blog: <a href="http://giovanni.bajo.it/">http://giovanni.bajo.it</a></div><div><br></div></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br></body></html>