[Catalog-sig] Pull request to migrate PyPI to bcrypt

M.-A. Lemburg mal at egenix.com
Mon Feb 11 14:10:26 CET 2013 

Christian Heimes wrote:
> Am 11.02.2013 13:26, schrieb M.-A. Lemburg:
>> Why not leave the decision to change the password to the PyPI users
>> and only do a blog post and perhaps have a banner on PyPI to notify
>> them ?
>>
>> After all, unlike for the wiki installation, the PyPI passwords were
>> not compromised.
> 
> It depends on your level of paranoia. Technically they are potentially
> compromised. The passwords were and are still transmitted over
> non-encrypted HTTP connections. </nitpicking>

True and Jesse's point is also true.

Please note, though, that if we reset passwords, we may very well
lock out PyPI users. If the registered email address is no longer
valid, there's no way to regain access to the account other than
via an admin.

I also just tested the password reset mechanism and found a few
issues. Entering your details here:

https://pypi.python.org/pypi?%3Aaction=forgotten_password_form

results in an email:

"""
Someone, perhaps you, has requested that the password be changed for your
username, "xyz". If you wish to proceed with the change, please follow
the link below:

  http://pypi.python.org/pypi?:action=password_reset&email=x%40yz.com

You should then receive another email with the new password.
"""

Clicking on the HTTP link then results in an *email* with a new clear
text password:

"""
Your login is: xyz
Your password is now: 1234
"""

The second email should probably contain a note explaining that
the password is temporary and should be changed as soon as possible
on the PyPI website.

Since there's no additional password reset protection (e.g. some
password reset question or similar additional authentication
request or a token which is sent with the first email), the above
URL can be used to reset any PyPI account for which you know
the email address.

So I guess, the process needs to be fixed before going ahead with
any password reset.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list