[Catalog-sig] Mandatory Reset of PyPI Passwords
Donald Stufft
donald.stufft at gmail.com
Wed Feb 13 21:33:38 CET 2013
On Wednesday, February 13, 2013 at 3:09 PM, Antoine Pitrou wrote:
> Donald Stufft <donald.stufft <at> gmail.com (http://gmail.com)> writes:
> >
> > The midterm "at once" is still possible, it just bcrypt's the existing sha1
> > passwords.
> > This is better then unsalted sha1's but it's *worse* than just plain bcrypt.
> >
>
>
> Why is it worse? SHA1 isn't terribly broken AFAIK.
Because you lower the available entropy, "birthday paradox".
>
> > So yes for that week if the DB gets stolen we will be vulnerable
> > to those passwords being bruteforced, but with an upcoming forced reset that
> > risk is
> > pretty minimal and the risk of my custom bcrypt+sha1 code breaking in an edge
> > case
> > is higher.
> >
>
>
> Yeah, well, that's because you are forcing a full reset. I wouldn't call that
> a "migration" since you are forcing users to re-enter new data.
>
> Regards
>
> Antoine.
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130213/69f1138c/attachment-0001.html>
More information about the Catalog-SIG
mailing list