[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Stefan Krah stefan at bytereef.org
Mon Dec 11 07:29:36 EST 2017

On Mon, Dec 11, 2017 at 12:19:46PM +0100, Victor Stinner wrote:
> 2017-12-11 12:05 GMT+01:00 Stefan Krah <stefan at bytereef.org>:
> > https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise
> > https://gist.github.com/peternixey/1978249
> >
> > I'm pretty sure my long GitHub-only password is more secure than several
> > key-gen algorithms on smart cards ...
> I wouldn't comment the attack on RSA SecurID, but I disagree that a
> single password is stronger than password + OTP.
> The principle of the 2-factor auth is that the attacker has to break
> two auths rather than only one. So even if you break RSA SecurID, the
> hacker still has to break your ultra secure GitHub-only password ;-)

Well sure, but the bureaucracy increases and ultimately the entity being
protected is still a ruby on rails web app (at least that's what I have
heard, I may be wrong).

Ssh isn't available everywhere, I don't want to install an app or give
out my phone number to half of Silicon Valley [1].

Buying a GitHub-only sim card would be an option still...

Stefan Krah

[1] Which is probably the real reason why 2FA is so popular.

More information about the python-committers mailing list