[Catalog-sig] Mandatory Reset of PyPI Passwords
Antoine Pitrou
solipsis at pitrou.net
Tue Feb 12 18:15:24 CET 2013
Donald Stufft <donald.stufft <at> gmail.com> writes:
>
> However I think a better approach would be to not automatically upgrade and
instead
> have the upgrade occur when a user changes their password. Then we should set
> a date (A month from now? 2?) where any user who has not reset/changed their
> password will have their password invalidated and will need to use PyPI's
recovery
> options.
What would that change exactly? There's still a two months window during which
the leaked password can be exploited.
Also, I don't understand why you're tying this to the hashing scheme migration.
They're two orthogonal schemes.
I still think the original migration scheme should be applied (i.e. migrate all
passwords immediately to bcrypt + sha1). Whether some passwords should also be
reset is a separate concern.
Besides, keep in mind that many people will never explicitly login into PyPI,
they simply use "setup.py upload". As someone mentioned, their account might be
tied to an e-mail that isn't even valid anymore.
Regards
Antoine.
More information about the Catalog-SIG
mailing list