+1 On Feb 12, 2013, at 6:31 AM, Donald Stufft <[email protected]> wrote:
> Since the wiki.python.org database was likely compromised and it was using a > weak > hash we should probably assume that all passwords in there have been leaked. > Because > of this I want to formally propose that PyPI reset it's passwords. > > I've recently created a PR (based on some of Giovanni Bajo's) that switches > PyPI > to using passlib and ideally bcrypt (although configurable). Included in that > PR is the > ability to auto migrate from the existing scheme (unsalted sha1) to the new > scheme (bcrypt) > upon login. > > However I think a better approach would be to not automatically upgrade and > instead > have the upgrade occur when a user changes their password. Then we should set > a date (A month from now? 2?) where any user who has not reset/changed their > password will have their password invalidated and will need to use PyPI's > recovery > options. > > The reason I believe we should reset is because there is a high likelyhood > that > people used the same login/password on PyPI as they did on wiki.python.org and > thus even if we migrate to a stronger hash many accounts may be already > compromised, or will be in the future. > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
