[Catalog-sig] Pull request to migrate PyPI to bcrypt
Christian Heimes
christian at python.org
Mon Feb 11 14:49:34 CET 2013
Am 11.02.2013 14:38, schrieb Donald Stufft:
> On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote:
>> Giovanni Bajo wrote:
>>> Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller
>>> <jnoller at gmail.com <mailto:jnoller at gmail.com>> ha scritto:
>>>
>>>> Actually I was thinking about this in the shower: the likelihood
>>>> that pypi users used the same passwords as they did on the wiki is
>>>> probably much higher than any of us assume.
>>>
>>> Given that the passwords were unsalted in both instances, a set
>>> intersection is enough to verify.
>>
>> The moin wiki passwords were salted.
>>
>> The reason we reset the passwords, was that the attackers had
>> access to both the salt and the hashes.
>>
> What were they hashed with? Even with a salt a fast hash is trivial to
> bruteforce for a large number of passwords in practically no time
> with trivial hardware.
It uses SSHA, that's sha1(password + salt) with a seven char salt.
Chrisitan
More information about the Catalog-SIG
mailing list