[Catalog-sig] Mandatory Reset of PyPI Passwords
Giovanni Bajo
rasky at develer.com
Tue Feb 12 12:38:44 CET 2013
Il giorno 12/feb/2013, alle ore 12:31, Donald Stufft <donald.stufft at gmail.com> ha scritto:
> Since the wiki.python.org database was likely compromised and it was using a weak
> hash we should probably assume that all passwords in there have been leaked. Because
> of this I want to formally propose that PyPI reset it's passwords.
>
> I've recently created a PR (based on some of Giovanni Bajo's) that switches PyPI
> to using passlib and ideally bcrypt (although configurable). Included in that PR is the
> ability to auto migrate from the existing scheme (unsalted sha1) to the new scheme (bcrypt)
> upon login.
>
> However I think a better approach would be to not automatically upgrade and instead
> have the upgrade occur when a user changes their password. Then we should set
> a date (A month from now? 2?) where any user who has not reset/changed their
> password will have their password invalidated and will need to use PyPI's recovery
> options.
What about forcing this reset only for users that also have an account on wiki.python.org?
Notice that PyPI recovery options should be improved, as they currently send a new password via email in clear text. It should be ideally changed to mailing a link pointing to a reset password form.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/414ca7e7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/414ca7e7/attachment.bin>
More information about the Catalog-SIG
mailing list