[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Victor Stinner victor.stinner at gmail.com
Mon Dec 11 04:58:20 EST 2017 

Hi,

On 12 February 2017, I got an email from Bitbucket: "we detected a
suspicious login to your Bitbucket Cloud account. We believe that a
malicious actor used a large database of usernames and passwords
stolen from third party services to access Bitbucket Cloud accounts.
We can't know exactly how your password was first compromised, however
it was not caused by Atlassian."

Wow. That's huge for me:

* I was using the same password for almost all services (except of
Gmail): GitHub, Bitbucket, a lot of web services. In term of security,
that's "bad". I know... but it is convenient...

* I had a few different password that I stored in clear text in a text
file which was hosted on a private repository on... Bitbucket

While *now* I'm quite sure that the hacker only succeed to log in but
didn't notice my password file, it was a good "opportunity" to upgrade
my security...

By the way, I suggest you to subscribe to https://haveibeenpwned.com/
which is a service to be notified if one of the service that you are
using have seen "pwned".

Using victor.stinner at gmail.com you can see "Breaches you were pwned
in: Dailymotion (october 2016) and GeekedIn (August 2016)". (There is
also a pastebin with my email, but it's just statistics on Mercurial,
nothing sensitive :-))

The question is no more if you have been hacked, but how much time do
you have before one of the services that you are using will be
hacked... haveibeenpwned.com only reference a few breaches that has
been made public...

It was an electric shock for me. I immediately changed the password of
the most critical services for me: GitHub, Bitbucket and many others.
I generated a random password of +10 characters (using KeePassX). I
started to use KeePassX password manager to stop storing passwords in
clear text, with a master passphrase to encrypt all these passwords.

I also acquired a Yubikey Nano. It's 50$. You may think that it's
expensive. But the question is more how much do you estimate all your
data of all your computers? Less than 50$, seriously? :-)

The next step was to enable 2-factor authentication on GitHub and Bitbucket:

* Configure the yubikey to generate an OTP for GitHub (for "long
press" on the key)
* Firefox: install
https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/ to use
Yubikey with GitHub (sadly, the plugin doesn't work with Bitbucket nor
Google yet)
* Enable 2-factor auth on GitHub and Bitbucket using Yubikey
* Print two-step recoverty codes on paper and keep it safe somewhere

If you cannot affort a Yubikey, don't or cannot use it, you may want
to use FreeOTP: free OTP application for a smartphone (I'm using it on
Android), usable with GitHub, Bitbucket, Google, etc. It's not
exclusive, you can have multiple 2-factor keys (Yubikey, FreeOTP,
something else).


Oh, my explanation makes the assumption that you all already enabled
2-factor auth on your email, right? :-) If you wasn't aware: email is
simply the *most* critical part of your whole online data. If a hacker
gets access to your email, you already lost all your online
accounts...

For Gmail users: you may have a look at
https://myaccount.google.com/security as well. Maybe remove old
services that have access to your Google account?


After the hack, I also generated a new SSH key, even if it wasn't
stored online and is encrypted by a passphrase. Just because I was
using the same key since many years. I chose to use the new modern
ed25519 key format. It uses an elliptic curve rather than RSA, it's a
different kind of security. While I don't know if it's more secure, I
read that it's faster :-)

https://en.wikipedia.org/wiki/EdDSA

I was able to use this new key formats on all services... except Launchpad.

Changing a private SSH key isn't easy:

* You have to install the new SSH on most services that you are using
* You have to manually remove the old SSH key from *all* services that
you are using (there is no global "SSH revokation" service...)
* I used ~/.ssh/known_hosts to get most services, but also updated
GitHub, Bitbucket, etc.
* There are a few other services like psf-salt/psf-chef where you may
also want to see your SSH key updated
* The question is then if the old SSH key must be removed... the
problem is that I never tried to keep track of services that I'm using
through SSH, so I decided to keep the old SSH key (outside ~/.ssh). In
practice, I'm only using my new SSH private since longer than 6 months
and I was never blocked.

I also had trouble to get working SSH agent on Gnome for my ed25519
key, but I succeeded to enable the regular ssh-agent using systemd
--user. Tell me if you want instructions for this part as well.

Victor

More information about the python-committers mailing list