[Catalog-sig] Pull request to migrate PyPI to bcrypt
Jesse Noller
jnoller at gmail.com
Mon Feb 11 11:52:23 CET 2013
Both issues. As for the # of rounds for bcrypt: yes, it should be increased; but maxing somewhere reasonable - 250+ ms for calculation is probably "OK" but it's going to be trivial to DoS unless this merge request also comes with all the other things you propose (rate limiting, etc).
If we increase the # of bcrypt rounds without simultaneously fixing the potential DoS we're stabbing ourselves in the face, not making it more secure.
On Monday, February 11, 2013 at 5:31 AM, Giovanni Bajo wrote:
> On what? On using bcrypt with 1ms computation time? Or on the migration path? Those are the two issues at discussion.
>
> Il giorno 11/feb/2013, alle ore 11:06, Jesse Noller <jnoller at gmail.com (mailto:jnoller at gmail.com)> ha scritto:
>
> > That's disappointing - Christian is correct
> >
> > On Feb 11, 2013, at 3:39 AM, Richard Jones <richard at python.org (mailto:richard at python.org)> wrote:
> >
> > > Given the discussion on the pull request I think I'll hold off. There
> > > seems to be some question regarding its appropriateness which I'm not
> > > really in a position to judge.
> > >
> > >
> > > Richard
> > >
> > > On 10 February 2013 21:57, Richard Jones <richard at python.org (mailto:richard at python.org)> wrote:
> > > > Thanks, I'll be reviewing that tomorrow if Martin doesn't beat me to it.
> > > >
> > > >
> > > > Richard
> > > >
> > > > On 10 February 2013 14:26, Giovanni Bajo <rasky at develer.com (mailto:rasky at develer.com)> wrote:
> > > > > Hi,
> > > > >
> > > > > I went ahead with an important task in my security design doc: migration of PyPI to bcrypt.
> > > > >
> > > > > This is the pull request:
> > > > > https://bitbucket.org/loewis/pypi/pull-request/2/use-bcrypt-instead-of-unsalted-sha1/diff
> > > > >
> > > > > --
> > > > > Giovanni Bajo :: rasky at develer.com (mailto:rasky at develer.com)
> > > > > Develer S.r.l. :: http://www.develer.com
> > > > >
> > > > > My Blog: http://giovanni.bajo.it
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Catalog-SIG mailing list
> > > > > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > > > > http://mail.python.org/mailman/listinfo/catalog-sig
> > > >
> > >
> > >
> > > _______________________________________________
> > > Catalog-SIG mailing list
> > > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > > http://mail.python.org/mailman/listinfo/catalog-sig
> >
>
>
>
>
>
> --
> Giovanni Bajo :: rasky at develer.com (mailto:rasky at develer.com)
> Develer S.r.l. :: http://www.develer.com
>
> My Blog: http://giovanni.bajo.it
>
>
> Attachments:
> - smime.p7s
>
More information about the Catalog-SIG
mailing list