[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-29 Thread Guido van Rossum 
There’s another possible explanation. This mailing list is archived and the
archives are publicly readable.

On Tue, Jun 29, 2021 at 22:07 Tim Peters  wrote:

> Just for interest, I noticed a failed login attempt to my Github
> account about two hours ago, originating in Toronto.
>
> That's the first fishy thing Github's security log ever showed for my
> account.
>
> I do have 2FA enabled there now, so I'm not worried.
>
> Coincidence? About a week after I enabled 2FA for my Microsoft
> account, that _also_ notified me for the very first time of a failed
> login attempt.
>
> Maybe the NSA tracks when people enable 2FA, and after about a week
> gets around to making sure they can still break in ;-)
> ___
> python-committers mailing list -- python-committers@python.org
> To unsubscribe send an email to python-committers-le...@python.org
> https://mail.python.org/mailman3/lists/python-committers.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-committers@python.org/message/EUYIGLWM63BZLKROTGSOYSS57V3S2FU4/
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>
-- 
--Guido (mobile)
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/4HY35H774XX6GDWPYG2MNLI6BGFFTP6B/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-29 Thread Tim Peters 
Just for interest, I noticed a failed login attempt to my Github
account about two hours ago, originating in Toronto.

That's the first fishy thing Github's security log ever showed for my account.

I do have 2FA enabled there now, so I'm not worried.

Coincidence? About a week after I enabled 2FA for my Microsoft
account, that _also_ notified me for the very first time of a failed
login attempt.

Maybe the NSA tracks when people enable 2FA, and after about a week
gets around to making sure they can still break in ;-)
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/EUYIGLWM63BZLKROTGSOYSS57V3S2FU4/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-22 Thread Tim Peters 
FYI, after getting nudged by Jack Jansen (thanks!), I'm using 2FA on
GIthub now. If I can do it, anyone can. On WIndows desktop, no smart
phone, no cell phone, no QR code scanner. Using Authy (free), which
did one setup step via a landline phone call instead (Authy does
demand to know _a_ phone number for you).

No, I have no real idea what I did, or why, and part didn't work until
I deleted an embedded space from a copy/paste of a 6-digit integer
Authy told me to paste into Github. And I have no interest in knowing
more about it either ;-)

if-it's-incomprehensible-it-must-be-secure-ly y'rs  - tim
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/PR6RWYCFVDKNGHXNA5VU4UNSDRU5PSWL/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-16 Thread Julien Palard via python-committers 
Le 6/16/21 à 10:50 AM, Antoine Pitrou a écrit :
> It's as reliable as printing passwords on a piece of paper, isn't it?

The password is *something you know*, so we (all?) agree: printing it is
a bad idea.

The 2nd factor is *something you have*, so printing them is not an
issue, and having them in your wallet is fine too (and can even save the
day).

A U2F key as a 2nd factor is *something you have* too, it's not more nor
less physical than paper in your wallet.

The idea is: it's harder to steal something to know *and* something you
have.

--
[Julien Palard](https://mdk.fr)

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/GRRZOEALYA6PZ3KXY2L5DWBIJWNZCMSK/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-16 Thread Christian Heimes 
On 16/06/2021 10.50, Antoine Pitrou wrote:
> 
> Le 16/06/2021 à 10:33, Christian Heimes a écrit :
>> On 16/06/2021 07.14, Julien Palard via python-committers wrote:
>>> I do use a Yubikey too.
>>>
>>> Le 6/14/21 à 11:27 PM, Tim Peters a écrit :
 If I buy one and plug it in, and that's the end of it, fine by me
>>>
>>> That's almost as simple as you want:
>>>
>>> - In Github settings 2FA tab you'll have to hit a "Register a new
>>> security key" button, it make your key "blink" (blinking mean: please
>>> touch the key to allow this action).
>>>
>>> - Then every time you login your key blinks and you have to touch it to
>>> allow this action.
>>>
>>> And that's it. It uses an open standard called U2F [1] which works on a
>>> variety of setups (it works with Firefox on Debian for example). It also
>>> works on pypi.org \o/.
>>>
>>> If the PSF is willing to help financially, I'd recommend everyone to buy
>>> (and register) two keys: a primary key and a backup key in case you
>>> loose or break the first one.
>>
>> Most sites with MFA support have backup/recovery codes, too. I recommend
>> that you generate backup codes, print them out and store the printout
>> with your important documents. It's low tech and safe.
> 
> It's as reliable as printing passwords on a piece of paper, isn't it?

No, recovery codes on paper are much more secure than printing passwords
on paper.

Passwords give an attacker immediate access to your account.

Recovery codes only contain one-time use second factors. They are
useless without the first factor (password). You keep recovery codes at
home, too. An attacker would need to get access to your first factor and
then break into your apartment to locate and steal your second factor.

Christian
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/JK67MJV44WV7V5UAJ2H4EL62CLG75OFY/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-16 Thread Antoine Pitrou 


Le 16/06/2021 à 07:14, Julien Palard via python-committers a écrit :

I do use a Yubikey too.

Le 6/14/21 à 11:27 PM, Tim Peters a écrit :

If I buy one and plug it in, and that's the end of it, fine by me


That's almost as simple as you want:

- In Github settings 2FA tab you'll have to hit a "Register a new
security key" button, it make your key "blink" (blinking mean: please
touch the key to allow this action).

- Then every time you login your key blinks and you have to touch it to
allow this action.

And that's it. It uses an open standard called U2F [1] which works on a
variety of setups (it works with Firefox on Debian for example).


For the record, U2F has never worked for me with Firefox on Ubuntu.  It 
works with the Firefox binaries provided by Mozilla, though


Regards

Antoine.
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/ZMTNMYBVDTVS7H7M5M4R72HS77VNDRZC/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-16 Thread Antoine Pitrou 


Le 16/06/2021 à 10:33, Christian Heimes a écrit :

On 16/06/2021 07.14, Julien Palard via python-committers wrote:

I do use a Yubikey too.

Le 6/14/21 à 11:27 PM, Tim Peters a écrit :

If I buy one and plug it in, and that's the end of it, fine by me


That's almost as simple as you want:

- In Github settings 2FA tab you'll have to hit a "Register a new
security key" button, it make your key "blink" (blinking mean: please
touch the key to allow this action).

- Then every time you login your key blinks and you have to touch it to
allow this action.

And that's it. It uses an open standard called U2F [1] which works on a
variety of setups (it works with Firefox on Debian for example). It also
works on pypi.org \o/.

If the PSF is willing to help financially, I'd recommend everyone to buy
(and register) two keys: a primary key and a backup key in case you
loose or break the first one.


Most sites with MFA support have backup/recovery codes, too. I recommend
that you generate backup codes, print them out and store the printout
with your important documents. It's low tech and safe.


It's as reliable as printing passwords on a piece of paper, isn't it?

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/XKTCGU4LYKV2T2VVUP3QGPDKFAZO4K34/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-16 Thread Christian Heimes 
On 16/06/2021 07.14, Julien Palard via python-committers wrote:
> I do use a Yubikey too.
> 
> Le 6/14/21 à 11:27 PM, Tim Peters a écrit :
>> If I buy one and plug it in, and that's the end of it, fine by me
> 
> That's almost as simple as you want:
> 
> - In Github settings 2FA tab you'll have to hit a "Register a new
> security key" button, it make your key "blink" (blinking mean: please
> touch the key to allow this action).
> 
> - Then every time you login your key blinks and you have to touch it to
> allow this action.
> 
> And that's it. It uses an open standard called U2F [1] which works on a
> variety of setups (it works with Firefox on Debian for example). It also
> works on pypi.org \o/.
> 
> If the PSF is willing to help financially, I'd recommend everyone to buy
> (and register) two keys: a primary key and a backup key in case you
> loose or break the first one.

Most sites with MFA support have backup/recovery codes, too. I recommend
that you generate backup codes, print them out and store the printout
with your important documents. It's low tech and safe.

Christian
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/DP327KUOLMGVHUDTGTXPK6VJFSEHV4ZP/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-16 Thread Marc-Andre Lemburg 
Something I'd like to add to the discussion:

2FA on Github only applies to the website, not the SSH access:

https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication#authenticating-on-the-command-line-using-ssh

So by enabling 2FA you only protect settings and actions which can
only be done via the website. It's still possible for someone getting
access to your SSH key to push PRs in your name, for example.

Now 2FA in general is a good idea, but as someone who has lost access
to accounts because of my mobile's TOTP app failing on me, please
make sure that you do configure the available recovery methods
or take snapshots of the TOTP registration QR codes and store them
in a password manager (if that works with the website).

Failing to do so can make 2FA a nightmare, since websites will
make it really hard to regain access to the account when enabled.

BTW: A lot this is smoke and mirrors or snake oil as they say...
the most vulnerable account is your email account and this
is still good old user id and password in many cases. Additionally,
emails tend to travel via several hops you don't have control
over, e.g. mailchimp et al., your provider. If you're lucky
all those hops use TLS for in-transit messages, but I have yet
to find a website which sends your access reset emails using
GPG or S/MIME for end-to-end encryption.
You know: weakest link in a chain, etc.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Jun 16 2021)
>>> Python Projects, Coaching and Support ...https://www.egenix.com/
>>> Python Product Development ...https://consulting.egenix.com/


::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   https://www.egenix.com/company/contact/
 https://www.malemburg.com/

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/VD6QKSEH5GXTYVUEBUD62HFSYU5XIA7X/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-16 Thread Paul Moore 
On Wed, 16 Jun 2021 at 06:15, Julien Palard via python-committers
 wrote:
>
> I do use a Yubikey too.

I'm not particularly bothered by the debate over 2FA (I have a 2FA app
on my phone that I use and that's sufficient) but I'd like to offer a
counter argument to everyone saying Yubikeys are a straightforward
solution (not particularly picking on you, Julien, a few people have
suggested this option). Maybe they are for a lot of people, but I have
3 PCs, a tablet and a phone that I routinely use for github access. At
least one is critically short of USB ports from all of the other junk
I have plugged in.

I checked the Yubikey website and their recommendation (based on my
answers to their questions about how I would use them) was to buy
*three* keys, each of which was priced at about €40-50. That's a lot
of money¹. And there was some comment about not working completely
seamlessly with my iPad, which worried me, as well. And even with 3
keys, that's still going to mean swapping keys as I have more than 3
devices...

So while I support the idea of having 2FA (I spotted a suspicious
attempt to log into my account that failed, like Brett, so there's
definitely a need) I don't think we should assume any particular
solution will work universally - and finding a working solution might
be hard for some people (for a long time, I didn't use a smartphone
regularly, and none of the available 2FA solutions really worked for
me). It sounds like a Yubikey might be a reasonable solution for Tim,
but only he can say that for sure, and we should avoid letting our
enthusiasm for our own preferred solution blind us to the fact that it
might not suit everyone.

(Sorry - some battle scars showing there, I've had rather too many
people tell me to get a Yubikey when it really doesn't work for me. It
soured me on 2FA for quite some time, until I found a solution that
suited me...)

Paul

¹ Yes, I know it's way less than I spent on all those PCs!!!
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/6GFHYEEO6G6OQQ26K6FW4FO4R34PEA2L/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-15 Thread Julien Palard via python-committers 
I do use a Yubikey too.

Le 6/14/21 à 11:27 PM, Tim Peters a écrit :
> If I buy one and plug it in, and that's the end of it, fine by me

That's almost as simple as you want:

- In Github settings 2FA tab you'll have to hit a "Register a new
security key" button, it make your key "blink" (blinking mean: please
touch the key to allow this action).

- Then every time you login your key blinks and you have to touch it to
allow this action.

And that's it. It uses an open standard called U2F [1] which works on a
variety of setups (it works with Firefox on Debian for example). It also
works on pypi.org \o/.

If the PSF is willing to help financially, I'd recommend everyone to buy
(and register) two keys: a primary key and a backup key in case you
loose or break the first one.

I personally have a USB-C key and a USB-A key, so I can choose my key
according to the USB port I need to use.

Then optionally you can setup a PIV application on the key to store your
private ssh key, and use PKCS11 to forward ssh connexions challenges to
be resolved by the key. The big advantage is: your private key never
leave the key (which is write-only). It's way more complicated than U2F
though!

[1]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
--
[Julien Palard](https://mdk.fr)

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/HZPN57WF77CRUZAVSJQ7XP32V6I2VBE6/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-15 Thread Brett Cannon 
On Tue, Jun 15, 2021 at 11:08 AM Mariatta  wrote:

> Thanks for sharing your experience, and I think it's important for us core
> developers to be careful and vigilant about this.
>
> I was wondering if we should add under the "core developers
> responsibility" section (
> https://devguide.python.org/coredev/#responsibilities), about securing
> their GitHub account with 2FA/MFA? I think this is something that can be
> made as required by the org admins. (and add that we'll work with folks if
> they need assistance in setting those up).
>

Yes, there's a setting at I believe the org level where we can require 2FA.
I've tossed something on the SC agenda (which is currently massive, so who
knows how long it will be before we get to this) to see if this is
something we want to consider (if 2FA would actually stop you from
contributing, do feel free to speak up, otherwise I assume it's a situation
like Tim where we just need to help you figure out how to make it work).

-Brett


>
>
>
> On Mon, Jun 14, 2021 at 12:38 PM Brett Cannon  wrote:
>
>> I have discovered someone tried to break into my GitHub account (you can
>> check yourself by going to https://github.com/settings/security-log and
>> looking for "failed to login" attempts for potentially odd geographical
>> locations for yourself). CPython probably would have been the biggest
>> target for them had they gotten in (my work stuff is all open source and it
>> would have required breaking into another account). But GitHub has a
>> completely unique password and MFA turned on, so they were unsuccessful.
>>
>> Please make sure you have a unique password for your GitHub account and
>> that you have 2FA/MFA turned on (I honestly think we should start requiring
>> this; I'm sure we can get money for folks to get security keys). Other
>> languages like PHP have been successfully hacked (
>> https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/),
>> so this isn't a hypothetical anymore that we would be targets for folks who
>> want to install a backdoor into one of the world's most popular programming
>> languages and is now mission-critical for a lot of massive corporations and
>> governments.
>> ___
>> python-committers mailing list -- python-committers@python.org
>> To unsubscribe send an email to python-committers-le...@python.org
>> https://mail.python.org/mailman3/lists/python-committers.python.org/
>> Message archived at
>> https://mail.python.org/archives/list/python-committers@python.org/message/IS5ZGCRBBZ2RRRBJO4ZPG6P6XDPSDEYI/
>> Code of Conduct: https://www.python.org/psf/codeofconduct/
>>
>
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/U34DM5HVDFKF7KNC2KKGMFUEFKEDNCJ2/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-15 Thread Fred Drake 
On Tue, Jun 15, 2021 at 2:08 PM Mariatta  wrote:

> Thanks for sharing your experience, and I think it's important for us core
> developers to be careful and vigilant about this.
>

Work picked up hardware fobs from Deepnet Security for a lower price.  We
paid about $16 apiece for 20, but had to go through their "request a quote"
web form.  Something like that should work fine for anyone who doesn't want
to use a smartphone or bind it to their password manager.  (After all, it
wouldn't really be 2FA if your password manager provided both factors!)


  -Fred

-- 
Fred L. Drake, Jr.
"There is nothing more uncommon than common sense."
  --Frank Lloyd Wright
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/JK5PCOF6QPKDYRODB6RNC2H3QAVRAINX/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-15 Thread Mariatta 
Thanks for sharing your experience, and I think it's important for us core
developers to be careful and vigilant about this.

I was wondering if we should add under the "core developers responsibility"
section (https://devguide.python.org/coredev/#responsibilities), about
securing their GitHub account with 2FA/MFA? I think this is something that
can be made as required by the org admins. (and add that we'll work with
folks if they need assistance in setting those up).



On Mon, Jun 14, 2021 at 12:38 PM Brett Cannon  wrote:

> I have discovered someone tried to break into my GitHub account (you can
> check yourself by going to https://github.com/settings/security-log and
> looking for "failed to login" attempts for potentially odd geographical
> locations for yourself). CPython probably would have been the biggest
> target for them had they gotten in (my work stuff is all open source and it
> would have required breaking into another account). But GitHub has a
> completely unique password and MFA turned on, so they were unsuccessful.
>
> Please make sure you have a unique password for your GitHub account and
> that you have 2FA/MFA turned on (I honestly think we should start requiring
> this; I'm sure we can get money for folks to get security keys). Other
> languages like PHP have been successfully hacked (
> https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/),
> so this isn't a hypothetical anymore that we would be targets for folks who
> want to install a backdoor into one of the world's most popular programming
> languages and is now mission-critical for a lot of massive corporations and
> governments.
> ___
> python-committers mailing list -- python-committers@python.org
> To unsubscribe send an email to python-committers-le...@python.org
> https://mail.python.org/mailman3/lists/python-committers.python.org/
> Message archived at
> https://mail.python.org/archives/list/python-committers@python.org/message/IS5ZGCRBBZ2RRRBJO4ZPG6P6XDPSDEYI/
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/2ZJHJLXP5GNWLVYSEEHTAC2PTWLNLBST/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Jason R. Coombs 
I use a mobile device to store TOTP tokens (one time use passcodes), but as I 
also wish to use my workstation device to generate these tokens, I’ve 
historically used a tool called oathtool 
to generate these one time tokens (from a stored secret), but due to 
portability issues with the tool, I ended up porting it to Python. Now with 
keyring and 
oathtool and 
jaraco.clipboard, I’m able to (a) 
store the Github-generated key in a secure location, (b) generate tokens from 
the command line, and (c) copy them to the clipboard for easy pasting into a 
form (independent of platform). Since I use xonsh for my shell, I’m able to 
readily create aliases for each of the sites I use thus:

```xonsh
def get_oath(system, user):
code = keyring.get_password(system, user).replace(' ', '')
otp = $(oathtool @(code)).rstrip()
jaraco.clipboard.copy(otp)


def add_mfa(alias, system, user):
aliases[alias] = functools.partial(get_oath, system, user)

add_mfa('github-mfa', 'GitHub MFA', 'jaraco')
```

Now, when I type `github-mfa` in my shell, keyring retrieves the key from a 
secure storage, oathtool converts that to a valid one time passcode, and then 
jaraco.clipboard puts that on the clipboard, all using nothing but Python and a 
few libs.

The workflow may not be the best for you, and is probably not quite as secure 
as a hardware token like Yubikey, but as long as the password store is kept as 
secure as the hardware token, it’s comparable, and a fair deal more secure than 
with a password and does supply a second factor. I welcome others to copy all 
or part of the approach.


On 14 Jun, 2021, at 18:29, Terry Reedy 
mailto:tjre...@udel.edu>> wrote:

On 6/14/2021 3:38 PM, Brett Cannon wrote:
I have discovered someone tried to break into my GitHub account (you can check 
yourself by going to https://github.com/settings/security-log 
 and looking for "failed to login" 
attempts for potentially odd geographical locations for yourself).

I checked and the only logins are me, at home, with the same IP address. (I 
realize that this could change.) My only development system is on my desktop, 
so github *could* let me check a box to use the location as a quasi 2nd factor. 
 If the IP address changes, they *could* immediately email (if requested).

TJR

___
python-committers mailing list -- 
python-committers@python.org
To unsubscribe send an email to 
python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/IZPTKBBDWK3FA2GVJRZ4HBL2CJRUA76Q/
Code of Conduct: https://www.python.org/psf/codeofconduct/

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/7QQYG7NST66LQMXF5RB4GCAQ6B3RANGF/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Terry Reedy 

On 6/14/2021 3:38 PM, Brett Cannon wrote:
I have discovered someone tried to break into my GitHub account (you can 
check yourself by going to https://github.com/settings/security-log 
 and looking for "failed to 
login" attempts for potentially odd geographical locations for 
yourself).


I checked and the only logins are me, at home, with the same IP address. 
(I realize that this could change.) My only development system is on my 
desktop, so github *could* let me check a box to use the location as a 
quasi 2nd factor.  If the IP address changes, they *could* immediately 
email (if requested).


TJR

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/IZPTKBBDWK3FA2GVJRZ4HBL2CJRUA76Q/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Donald Stufft 


> On Jun 14, 2021, at 5:27 PM, Tim Peters  wrote:
> 
> [Donald Stufft ]
>> You can a Yubikey for like $15? or so and use that for best in class 2fa.
>> 
>> You can also get an app for your desktop PC that can do TOTP codes
>> (1Password has it built in, I’ve never used any of these applications
>> though).
> 
> Thanks!  Alas, it's all utter gibberish to me.  I'm going to ignore
> this until GIthub refuses to talk to me ;-)
> 
> Their docs say "After you configure 2FA using a mobile app or via text
> message ...", neither of which I can do. If "Yubikey" requires some
> other kind of setup. their docs don't mention it.

The desktop apps I spoke of work instead of a Mobile app. 

I’ve never used these, but some googling suggests

https://www.microsoft.com/en-us/p/2-factor-authenticator/9nblggh5k7jn?activetab=pivot:overviewtab
 


Or 

https://www.microsoft.com/en-us/p/winotp-authenticator/9nf2rgqkx1mv?activetab=pivot:overviewtab
 



Might work if you’re on windows. 

There’s some for every OS though.

> 
> yubico.com lists a ballfing variety of devices, from $24.50 to $90.00.
> If I buy one and plug it in, and that's the end of it, fine by me -
> happy to eat the cost. But I'm not keen to waste time wrestling with
> anything :-(

Sorry, the standard is called webauthn (or sometimes FIDO or U2F), and
yubikey is just the biggest supplier of them. Some information here:

https://github.blog/2019-08-21-github-supports-webauthn-for-security-keys/ 


 
I guess they’re more expensive than I last remembered them being. It’s been
a few years since I bought mine (or I got it on sale, I don’t remember’j. 
There’s
a review of some of the security keys available at

https://www.theverge.com/2019/2/22/18235173/the-best-hardware-security-keys-yubico-titan-key-u2f
 


Or if you like wire cutter:

https://www.nytimes.com/wirecutter/reviews/best-security-keys/ 



___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/SDW2VO22ASDSVHWEJOUREQ6V7TFUEBCF/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Terry Reedy 

On 6/14/2021 5:06 PM, Donald Stufft wrote:

On Amazon, Yubikey is $45-55 for 3 kinds of interfaces.  One must buy 
the right one.  And then configure with each remote account. Picture 
show usb-c keys plugged into laptops.  but desktops and monitors with 
usb have standard usb-2/3 ports.  Fido NFC usb-a mobile device key is $25.

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/ZPD334RYKELT5S6T3CNCOT74DJS354RB/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Tim Peters 
[Donald Stufft ]
> You can a Yubikey for like $15? or so and use that for best in class 2fa.
>
> You can also get an app for your desktop PC that can do TOTP codes
> (1Password has it built in, I’ve never used any of these applications
> though).

Thanks!  Alas, it's all utter gibberish to me.  I'm going to ignore
this until GIthub refuses to talk to me ;-)

Their docs say "After you configure 2FA using a mobile app or via text
message ...", neither of which I can do. If "Yubikey" requires some
other kind of setup. their docs don't mention it.

yubico.com lists a ballfing variety of devices, from $24.50 to $90.00.
If I buy one and plug it in, and that's the end of it, fine by me -
happy to eat the cost. But I'm not keen to waste time wrestling with
anything :-(
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/QEGHS575BNQEQ5TNKO4VCSL2QJTDJ2WC/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Donald Stufft 


> On Jun 14, 2021, at 5:02 PM, Tim Peters  wrote:
> 
> [Brett]
>> ...
>> Please make sure you have a unique password for your GitHub account
>> and that you have 2FA/MFA turned on (I honestly think we should start
>> requiring this ...
> 
> I use 2FA on sites that cater to my reality ;-) That is, I don't have
> a smartphone, or a cell phone of any kind, or any device capable of
> scanning QR codes, or, as far as I know, capable of receiving SMS msgs
> (unless there's some way of tricking a desktop PC into doing so).
> 
> In its infinite wisdom, the US Social Security system started
> requiring stuff like the above for recipients to log in to their SS
> web accounts. Which was a disaster. While they should have known this
> in advance, I'm not the only US senior content to live with a desktop
> PC and a landline ;-)
> 
> SS soon changed to send a "security code" to your account's registered
> email address instead. That works fine. Several other sites do the
> same. My bank has an automated system that calls my (landline) phone
> number, and a computer-generated voice tells me a one-time security
> code for me to type in. Also fine.
> 
> But reading the Github 2FA docs, they don't _appear_ to offer any
> method I could use. Things "I have" are a desktop PC, an email
> address, and a landline phone number. That's it.
> ___


You can a Yubikey for like $15? or so and use that for best in class 2fa.

You can also get an app for your desktop PC that can do TOTP codes (1Password 
has it built in, I’ve never used any of these applications though).

___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/3OYGIZB3FYOT55FR34MKMU6QSCTMNQZA/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Tim Peters 
[Brett]
> ...
> Please make sure you have a unique password for your GitHub account
> and that you have 2FA/MFA turned on (I honestly think we should start
> requiring this ...

I use 2FA on sites that cater to my reality ;-) That is, I don't have
a smartphone, or a cell phone of any kind, or any device capable of
scanning QR codes, or, as far as I know, capable of receiving SMS msgs
(unless there's some way of tricking a desktop PC into doing so).

In its infinite wisdom, the US Social Security system started
requiring stuff like the above for recipients to log in to their SS
web accounts. Which was a disaster. While they should have known this
in advance, I'm not the only US senior content to live with a desktop
PC and a landline ;-)

SS soon changed to send a "security code" to your account's registered
email address instead. That works fine. Several other sites do the
same. My bank has an automated system that calls my (landline) phone
number, and a computer-generated voice tells me a one-time security
code for me to type in. Also fine.

But reading the Github 2FA docs, they don't _appear_ to offer any
method I could use. Things "I have" are a desktop PC, an email
address, and a landline phone number. That's it.
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/D4D2KRXJXAL2Y3MRPW4LHQA5XBHV3EGA/
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

2021-06-14 Thread Victor Stinner 
See also 
https://discuss.python.org/t/remove-coordinator-role-of-inactive-coordinators-on-bugs-python-org/866
for the security of bugs.python.org. So far, no action was taken.
Inactive coordinators kept their permission.

For GitHub, I'm using a Yubikey and FreeOTP for the 2FA.

Victor

On Mon, Jun 14, 2021 at 9:38 PM Brett Cannon  wrote:
>
> I have discovered someone tried to break into my GitHub account (you can 
> check yourself by going to https://github.com/settings/security-log and 
> looking for "failed to login" attempts for potentially odd geographical 
> locations for yourself). CPython probably would have been the biggest target 
> for them had they gotten in (my work stuff is all open source and it would 
> have required breaking into another account). But GitHub has a completely 
> unique password and MFA turned on, so they were unsuccessful.
>
> Please make sure you have a unique password for your GitHub account and that 
> you have 2FA/MFA turned on (I honestly think we should start requiring this; 
> I'm sure we can get money for folks to get security keys). Other languages 
> like PHP have been successfully hacked 
> (https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/),
>  so this isn't a hypothetical anymore that we would be targets for folks who 
> want to install a backdoor into one of the world's most popular programming 
> languages and is now mission-critical for a lot of massive corporations and 
> governments.
> ___
> python-committers mailing list -- python-committers@python.org
> To unsubscribe send an email to python-committers-le...@python.org
> https://mail.python.org/mailman3/lists/python-committers.python.org/
> Message archived at 
> https://mail.python.org/archives/list/python-committers@python.org/message/IS5ZGCRBBZ2RRRBJO4ZPG6P6XDPSDEYI/
> Code of Conduct: https://www.python.org/psf/codeofconduct/



-- 
Night gathers, and now my watch begins. It shall not end until my death.
___
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-le...@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at 
https://mail.python.org/archives/list/python-committers@python.org/message/OMN6F7JTE6JBGB4NO5S5R5XFVH7OTQ5D/
Code of Conduct: https://www.python.org/psf/codeofconduct/