Donald Stufft <donald.stufft <at> gmail.com> writes: > > However I think a better approach would be to not automatically upgrade and instead > have the upgrade occur when a user changes their password. Then we should set > a date (A month from now? 2?) where any user who has not reset/changed their > password will have their password invalidated and will need to use PyPI's recovery > options.
What would that change exactly? There's still a two months window during which the leaked password can be exploited. Also, I don't understand why you're tying this to the hashing scheme migration. They're two orthogonal schemes. I still think the original migration scheme should be applied (i.e. migrate all passwords immediately to bcrypt + sha1). Whether some passwords should also be reset is a separate concern. Besides, keep in mind that many people will never explicitly login into PyPI, they simply use "setup.py upload". As someone mentioned, their account might be tied to an e-mail that isn't even valid anymore. Regards Antoine. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
