[Catalog-sig] Mandatory Reset of PyPI Passwords

[Donald Stufft]

Since the wiki.python.org database was likely compromised and it was using a weak 
hash we should probably assume that all passwords in there have been leaked. Because
of this I want to formally propose that PyPI reset it's passwords.

I've recently created a PR (based on some of Giovanni Bajo's) that switches PyPI
to using passlib and ideally bcrypt (although configurable). Included in that PR is the
ability to auto migrate from the existing scheme (unsalted sha1) to the new scheme (bcrypt)
upon login.

However I think a better approach would be to not automatically upgrade and instead
have the upgrade occur when a user changes their password. Then we should set
a date (A month from now? 2?) where any user who has not reset/changed their
password will have their password invalidated and will need to use PyPI's recovery
options.

The reason I believe we should reset is because there is a high likelyhood that
people used the same login/password on PyPI as they did on wiki.python.org and
thus even if we migrate to a stronger hash many accounts may be already
compromised, or will be in the future.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/e0aa7795/attachment.html>