[Catalog-sig] Mandatory Reset of PyPI Passwords
Antoine Pitrou
solipsis at pitrou.net
Wed Feb 13 21:09:33 CET 2013
Donald Stufft <donald.stufft <at> gmail.com> writes:
>
> The midterm "at once" is still possible, it just bcrypt's the existing sha1
> passwords.
> This is better then unsalted sha1's but it's *worse* than just plain bcrypt.
Why is it worse? SHA1 isn't terribly broken AFAIK.
> So yes for that week if the DB gets stolen we will be vulnerable
> to those passwords being bruteforced, but with an upcoming forced reset that
> risk is
> pretty minimal and the risk of my custom bcrypt+sha1 code breaking in an edge
> case
> is higher.
Yeah, well, that's because you are forcing a full reset. I wouldn't call that
a "migration" since you are forcing users to re-enter new data.
Regards
Antoine.
More information about the Catalog-SIG
mailing list