[Catalog-sig] Pull request to migrate PyPI to bcrypt

M.-A. Lemburg mal at egenix.com
Mon Feb 11 16:20:52 CET 2013


On 11.02.2013 14:49, Christian Heimes wrote:
> Am 11.02.2013 14:38, schrieb Donald Stufft:
>> On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote:
>>> Giovanni Bajo wrote:
>>>> Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller
>>>> <jnoller at gmail.com <mailto:jnoller at gmail.com>> ha scritto:
>>>>
>>>>> Actually I was thinking about this in the shower: the likelihood
>>>>> that pypi users used the same passwords as they did on the wiki is
>>>>> probably much higher than any of us assume.
>>>>
>>>> Given that the passwords were unsalted in both instances, a set
>>>> intersection is enough to verify.
>>>
>>> The moin wiki passwords were salted.
>>>
>>> The reason we reset the passwords, was that the attackers had
>>> access to both the salt and the hashes.
>>>
>> What were they hashed with? Even with a salt a fast hash is trivial to
>> bruteforce for a large number of passwords in practically no time
>> with trivial hardware. 
> 
> It uses SSHA, that's sha1(password + salt) with a seven char salt.

Right, should have added that information.

BTW: I wonder why salt and password are usually stored together
in the same place. The moin implementation also did not add any
application salt to the password string before calculating the
hash value (ie. x = hash(random_salt + application_salt + password)).
Not sure whether passlib does, either.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 11 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


More information about the Catalog-SIG mailing list