[Catalog-sig] Mandatory Reset of PyPI Passwords
Giovanni Bajo
rasky at develer.com
Wed Feb 13 22:11:28 CET 2013
Il giorno 13/feb/2013, alle ore 22:07, Donald Stufft <donald.stufft at gmail.com> ha scritto:
> On Wednesday, February 13, 2013 at 4:05 PM, Giovanni Bajo wrote:
>> You probably forgot to tell your security researcher that we *start* from sha1 hashes.
>>
> No I told him, But Richard has said he's going to do a forced password reset a
> week after he sends an email to everyone informing them of that. Int hat case the risk
> to keeping the unsalted sha1's around for another week is pretty minimal.
Yes, agreed.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130213/b2324e86/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130213/b2324e86/attachment.bin>
More information about the Catalog-SIG
mailing list