[Catalog-sig] Pull request to migrate PyPI to bcrypt
M.-A. Lemburg
mal at egenix.com
Mon Feb 11 12:53:28 CET 2013
Richard Jones wrote:
> Given the discussion on the pull request I think I'll hold off. There
> seems to be some question regarding its appropriateness which I'm not
> really in a position to judge.
FWIW, the DoS problem with the multi-round hash algorithms was also
an issue for moin. They chose to use passlib with moin:
http://hg.moinmo.in/moin/1.9/file/tip/docs/CHANGES
and the default hash algorithm is sha512_crypt. Everything
was made configurable to be able to easily switch algorithms and
use different number of rounds to adjust for the use cases.
See these links for a discussion on the hash algorithms and
rounds values:
http://pythonhosted.org/passlib/new_app_quickstart.html#choosing-a-hash
http://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-rounds-value
Also note that these password hashes mainly protect against
the case where a user uses the same password for multiple
services. If an attacker gets access to the stored password
hashes, he'll already have all the power he needs to change
any aspect of an arbitrary number of accounts, including changing
the passwords, so we're not gaining any protection for *PyPI* by
using a high number of rounds. The additional number of rounds
only protect against use of the passwords on other services.
As a result, the DoS problem weighs more in this context than
the protection against brute-force or rainbow table attacks.
Let's please not get paranoid over all this. As long as the parameters
remain configurable, we can approach these things in small steps and
don't need to get all tied up in discussions about how to turn
PyPI into Fort Knox :-)
> Richard
>
> On 10 February 2013 21:57, Richard Jones <richard at python.org> wrote:
>> Thanks, I'll be reviewing that tomorrow if Martin doesn't beat me to it.
>>
>>
>> Richard
>>
>> On 10 February 2013 14:26, Giovanni Bajo <rasky at develer.com> wrote:
>>> Hi,
>>>
>>> I went ahead with an important task in my security design doc: migration of PyPI to bcrypt.
>>>
>>> This is the pull request:
>>> https://bitbucket.org/loewis/pypi/pull-request/2/use-bcrypt-instead-of-unsalted-sha1/diff
>>>
>>> --
>>> Giovanni Bajo :: rasky at develer.com
>>> Develer S.r.l. :: http://www.develer.com
>>>
>>> My Blog: http://giovanni.bajo.it
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Catalog-SIG mailing list
>>> Catalog-SIG at python.org
>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list