<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Il giorno 12/feb/2013, alle ore 12:31, Donald Stufft <<a href="mailto:donald.stufft@gmail.com">donald.stufft@gmail.com</a>> ha scritto:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div>
Since the <a href="http://wiki.python.org">wiki.python.org</a> database was likely compromised and it was using a weak
</div><div>hash we should probably assume that all passwords in there have been leaked. Because</div><div>of this I want to formally propose that PyPI reset it's passwords.</div><div><br></div><div>I've recently created a PR (based on some of Giovanni Bajo's) that switches PyPI</div><div>to using passlib and ideally bcrypt (although configurable). Included in that PR is the</div><div>ability to auto migrate from the existing scheme (unsalted sha1) to the new scheme (bcrypt)</div><div>upon login.</div><div><br></div><div>However I think a better approach would be to not automatically upgrade and instead</div><div>have the upgrade occur when a user changes their password. Then we should set</div><div>a date (A month from now? 2?) where any user who has not reset/changed their</div><div>password will have their password invalidated and will need to use PyPI's recovery</div><div>options.</div></blockquote></div><div><br></div><div><div>What about forcing this reset only for users that also have an account on <a href="http://wiki.python.org">wiki.python.org</a>?</div><div><br></div></div><div><div>Notice that PyPI recovery options should be improved, as they currently send a new password via email in clear text. It should be ideally changed to mailing a link pointing to a reset password form.</div></div><div>
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>-- </div><div>Giovanni Bajo :: <a href="mailto:rasky@develer.com">rasky@develer.com</a><br>Develer S.r.l. :: <a href="http://www.develer.com/">http://www.develer.com</a><br><br>My Blog: <a href="http://giovanni.bajo.it/">http://giovanni.bajo.it</a></div><div><br></div></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br></body></html>