[Catalog-sig] Mandatory Reset of PyPI Passwords
Jesse Noller
jnoller at gmail.com
Tue Feb 12 13:17:10 CET 2013
+1
On Feb 12, 2013, at 6:31 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
> Since the wiki.python.org database was likely compromised and it was using a weak
> hash we should probably assume that all passwords in there have been leaked. Because
> of this I want to formally propose that PyPI reset it's passwords.
>
> I've recently created a PR (based on some of Giovanni Bajo's) that switches PyPI
> to using passlib and ideally bcrypt (although configurable). Included in that PR is the
> ability to auto migrate from the existing scheme (unsalted sha1) to the new scheme (bcrypt)
> upon login.
>
> However I think a better approach would be to not automatically upgrade and instead
> have the upgrade occur when a user changes their password. Then we should set
> a date (A month from now? 2?) where any user who has not reset/changed their
> password will have their password invalidated and will need to use PyPI's recovery
> options.
>
> The reason I believe we should reset is because there is a high likelyhood that
> people used the same login/password on PyPI as they did on wiki.python.org and
> thus even if we migrate to a stronger hash many accounts may be already
> compromised, or will be in the future.
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
More information about the Catalog-SIG
mailing list