[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Alex Gaynor alex.gaynor at gmail.com
Mon Dec 11 15:19:48 EST 2017

The reason for the username-then-a-new-page-for-password flow in many cases
is that the sites have multiple flows depending on your username! The GMail
login page for example can send you to either the password page since
you're a consumer account, the password page because you're a GSuite
account using Google login, an off-site page since you're a GSuite using
SAML. (This is ignoring the need to choose 2FA flows -- TOTP vs SMS vs
Security Key!)


On Mon, Dec 11, 2017 at 3:11 PM, R. David Murray <rdmurray at bitdance.com>

> On Mon, 11 Dec 2017 14:52:54 -0500, "R. David Murray" <
> rdmurray at bitdance.com> wrote:
> > Indeed.  If 2fa is required for contribution to CPython, I'll stop
> > contributing.  Granted, I haven't done many merges lately, but a few
> > is a bigger number than zero :)
> And in case you think this means I don't consider security important:
> I have been using strong, unique-per-site passwords (and in many cases
> unique usernames/emails) for many years, and I run my own email server.
> --David
> Aside: something I have never understood is the relatively recent
> craze for enter-username-first-then-go-to-password-screen.  Most of the
> implementations I have encountered tell you if the username is unknown.
> That reduces the cracker's search space by a considerable amount.  Using
> your email address as the account id has the same problem, magnified.
> I had already started using unique usernames/emails before that trend
> happened, to battle spam, but it certainly reinforced my motivation for
> doing so.  I unfortunately haven't gotten around to backfilling a lot
> of the sites I did sign up to using my primary email address :(
> _______________________________________________
> python-committers mailing list
> python-committers at python.org
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20171211/cd875678/attachment.html>

More information about the python-committers mailing list