[Catalog-sig] Mandatory Reset of PyPI Passwords

Donald Stufft donald.stufft at gmail.com
Tue Feb 12 12:45:35 CET 2013


On Tuesday, February 12, 2013 at 6:38 AM, Giovanni Bajo wrote:
> What about forcing this reset only for users that also have an account on wiki.python.org (http://wiki.python.org)?
> 
> 
> 

That could be difficult because that's assuming that if they did have the same account
that they used the same username or email address (also likely, but not required). Also
it doesn't do anything if they have multiple PyPI accounts (project? company?) sharing
that password. If the attacker did get the passwords from Moin he has a pretty decent
dictionary to start with before he'd need to resort to a "dumb" brute force of PyPI.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/3084e665/attachment.html>


More information about the Catalog-SIG mailing list