[Distutils] Password security
Donald Stufft
donald at stufft.io
Wed Sep 4 17:56:21 CEST 2013
On Sep 4, 2013, at 11:53 AM, Antoine Pitrou <antoine at python.org> wrote:
> Donald Stufft <donald <at> stufft.io> writes:
>>
>> On Sep 4, 2013, at 11:28 AM, Nick Coghlan <ncoghlan <at> gmail.com> wrote:
>>
>>> The *best* answer is for a service to use 2-factor authentication
>>> instead of relying entirely on passwords (the "physical object" Donald
>>> mentioned earlier), but we don't have the resources to set that up,
>>> and certainly can't require it for all PyPI users (since you either
>>> need a physical token or a phone capable of running an app like Google
>>> Authenticator).
>>
>> PyPI will gain 2 Factor Auth support in Warehouse. It's something I feel
> strongly
>> about and am going to make it work. It obviously won't be required for the
>> reasons you listed it but if folks turn it on then it'll be required for
> their account.
>> Likely also projects will be able to require that their projects
> themselves get
>> modified only by an account with 2FA enabled as well.
>
> What would the second factor be in this case?
> (besides the usual password-based or OpenID-based auth factor?)
Something that implements the standard TOTP algorithm. There are a number
of apps for phones that enable it as well as desktop apps. Possibly support for
users to buy a yubikey or an RSA token as well. A lot of the details are really
sketchy because I haven't actually done it yet but I know that A) It'll be supported
and b) At a minimum TOTP will be supported.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130904/cfcccb95/attachment.sig>
More information about the Distutils-SIG
mailing list