[Catalog-sig] Pull request to migrate PyPI to bcrypt

Donald Stufft donald.stufft at gmail.com
Mon Feb 11 14:38:04 CET 2013


On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote:
> Giovanni Bajo wrote:
> > Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller <jnoller at gmail.com (mailto:jnoller at gmail.com)> ha scritto:
> > 
> > > Actually I was thinking about this in the shower: the likelihood that pypi users used the same passwords as they did on the wiki is probably much higher than any of us assume.
> > 
> > Given that the passwords were unsalted in both instances, a set intersection is enough to verify.
> 
> The moin wiki passwords were salted.
> 
> The reason we reset the passwords, was that the attackers had
> access to both the salt and the hashes.
> 
What were they hashed with? Even with a salt a fast hash is trivial to
bruteforce for a large number of passwords in practically no time
with trivial hardware. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130211/e6d63e07/attachment.html>


More information about the Catalog-SIG mailing list