date:20171211

Hi,

On 12 February 2017, I got an email from Bitbucket: "we detected a
suspicious login to your Bitbucket Cloud account. We believe that a
malicious actor used a large database of usernames and passwords
stolen from third party services to access Bitbucket Cloud accounts.
We can't know exactly how your password was first compromised, however
it was not caused by Atlassian."

Wow. That's huge for me:

* I was using the same password for almost all services (except of
Gmail): GitHub, Bitbucket, a lot of web services. In term of security,
that's "bad". I know... but it is convenient...

* I had a few different password that I stored in clear text in a text
file which was hosted on a private repository on... Bitbucket

While *now* I'm quite sure that the hacker only succeed to log in but
didn't notice my password file, it was a good "opportunity" to upgrade
my security...

By the way, I suggest you to subscribe to https://haveibeenpwned.com/
which is a service to be notified if one of the service that you are
using have seen "pwned".

Using [email protected] you can see "Breaches you were pwned
in: Dailymotion (october 2016) and GeekedIn (August 2016)". (There is
also a pastebin with my email, but it's just statistics on Mercurial,
nothing sensitive :-))

The question is no more if you have been hacked, but how much time do
you have before one of the services that you are using will be
hacked... haveibeenpwned.com only reference a few breaches that has
been made public...

It was an electric shock for me. I immediately changed the password of
the most critical services for me: GitHub, Bitbucket and many others.
I generated a random password of +10 characters (using KeePassX). I
started to use KeePassX password manager to stop storing passwords in
clear text, with a master passphrase to encrypt all these passwords.

I also acquired a Yubikey Nano. It's 50$. You may think that it's
expensive. But the question is more how much do you estimate all your
data of all your computers? Less than 50$, seriously? :-)

The next step was to enable 2-factor authentication on GitHub and Bitbucket:

* Configure the yubikey to generate an OTP for GitHub (for "long
press" on the key)
* Firefox: install
https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/ to use
Yubikey with GitHub (sadly, the plugin doesn't work with Bitbucket nor
Google yet)
* Enable 2-factor auth on GitHub and Bitbucket using Yubikey
* Print two-step recoverty codes on paper and keep it safe somewhere

If you cannot affort a Yubikey, don't or cannot use it, you may want
to use FreeOTP: free OTP application for a smartphone (I'm using it on
Android), usable with GitHub, Bitbucket, Google, etc. It's not
exclusive, you can have multiple 2-factor keys (Yubikey, FreeOTP,
something else).


Oh, my explanation makes the assumption that you all already enabled
2-factor auth on your email, right? :-) If you wasn't aware: email is
simply the *most* critical part of your whole online data. If a hacker
gets access to your email, you already lost all your online
accounts...

For Gmail users: you may have a look at
https://myaccount.google.com/security as well. Maybe remove old
services that have access to your Google account?


After the hack, I also generated a new SSH key, even if it wasn't
stored online and is encrypted by a passphrase. Just because I was
using the same key since many years. I chose to use the new modern
ed25519 key format. It uses an elliptic curve rather than RSA, it's a
different kind of security. While I don't know if it's more secure, I
read that it's faster :-)

https://en.wikipedia.org/wiki/EdDSA

I was able to use this new key formats on all services... except Launchpad.

Changing a private SSH key isn't easy:

* You have to install the new SSH on most services that you are using
* You have to manually remove the old SSH key from *all* services that
you are using (there is no global "SSH revokation" service...)
* I used ~/.ssh/known_hosts to get most services, but also updated
GitHub, Bitbucket, etc.
* There are a few other services like psf-salt/psf-chef where you may
also want to see your SSH key updated
* The question is then if the old SSH key must be removed... the
problem is that I never tried to keep track of services that I'm using
through SSH, so I decided to keep the old SSH key (outside ~/.ssh). In
practice, I'm only using my new SSH private since longer than 6 months
and I was never blocked.

I also had trouble to get working SSH agent on Gnome for my ed25519
key, but I succeeded to enable the regular ssh-agent using systemd
--user. Tell me if you want instructions for this part as well.

Victor
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email


Le 11/12/2017 à 10:58, Victor Stinner a écrit :
> 
> I also had trouble to get working SSH agent on Gnome for my ed25519
> key, but I succeeded to enable the regular ssh-agent using systemd
> --user. Tell me if you want instructions for this part as well.

Blame gnome-keyring for this:
https://bugzilla.gnome.org/show_bug.cgi?id=723274

Regards

Antoine.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Kushal Das

On Mon, Dec 11, 2017 at 3:28 PM, Victor Stinner
 wrote:
> Hi,
>

>
> The next step was to enable 2-factor authentication on GitHub and Bitbucket:
>
> * Configure the yubikey to generate an OTP for GitHub (for "long
> press" on the key)
> * Firefox: install
> https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/ to use
> Yubikey with GitHub (sadly, the plugin doesn't work with Bitbucket nor
> Google yet)
> * Enable 2-factor auth on GitHub and Bitbucket using Yubikey
> * Print two-step recoverty codes on paper and keep it safe somewhere
>
> If you cannot affort a Yubikey, don't or cannot use it, you may want
> to use FreeOTP: free OTP application for a smartphone (I'm using it on
> Android), usable with GitHub, Bitbucket, Google, etc. It's not
> exclusive, you can have multiple 2-factor keys (Yubikey, FreeOTP,
> something else).

On a related note, we should ask all committers to enable 2FA and then
make the organization to 2FA only on github. That is a standard policy of
many organizations on github.

Kushal
-- 
CPython Core Developer
Director, Python Software Foundation
https://kushaldas.in
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 03:46:23PM +0530, Kushal Das wrote:
> On a related note, we should ask all committers to enable 2FA and then
> make the organization to 2FA only on github. That is a standard policy of
> many organizations on github.

https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise
https://gist.github.com/peternixey/1978249


I'm pretty sure my long GitHub-only password is more secure than several
key-gen algorithms on smart cards ...



Stefan Krah




___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 10:16, Kushal Das  wrote:
> On a related note, we should ask all committers to enable 2FA and then
> make the organization to 2FA only on github. That is a standard policy of
> many organizations on github.

Before making such a requirement, we should ensure that doing so
doesn't harm usability. For example, I have no idea how 2FA would work
in conjunction with the command line git client on Windows,
particularly in terms of *not* prompting on every single activity, but
caching authentication appropriately. Also we should ensure that there
are viable 2FA options for people in places where mobile phone signals
are unreliable or unavailable (I come into that category :-()

Basically, before making such a change, let's ensure it doesn't do
more harm than good.

Paul
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 12:05 GMT+01:00 Stefan Krah :
> https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise
> https://gist.github.com/peternixey/1978249
>
> I'm pretty sure my long GitHub-only password is more secure than several
> key-gen algorithms on smart cards ...

I wouldn't comment the attack on RSA SecurID, but I disagree that a
single password is stronger than password + OTP.

The principle of the 2-factor auth is that the attacker has to break
two auths rather than only one. So even if you break RSA SecurID, the
hacker still has to break your ultra secure GitHub-only password ;-)

Victor
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Kushal Das

On Mon, Dec 11, 2017 at 4:44 PM, Paul Moore  wrote:
> On 11 December 2017 at 10:16, Kushal Das  wrote:
>> On a related note, we should ask all committers to enable 2FA and then
>> make the organization to 2FA only on github. That is a standard policy of
>> many organizations on github.
>
> Before making such a requirement, we should ensure that doing so
> doesn't harm usability. For example, I have no idea how 2FA would work
> in conjunction with the command line git client on Windows,
> particularly in terms of *not* prompting on every single activity, but
> caching authentication appropriately. Also we should ensure that there
> are viable 2FA options for people in places where mobile phone signals
> are unreliable or unavailable (I come into that category :-()
>
> Basically, before making such a change, let's ensure it doesn't do
> more harm than good.
>
Understood, the git command line tools work based on your ssh authentication.
2FA will only take place in case of user login using username/password.

Even before we get into long discussions about 2FA and other things, the first
step should be using a nice long passphrase (not password, but passphrase) which
one can remember. And if possible, use a local password manager to store it.

To create the passphrases, one can use the diceware tool ($ pip
install diceware ).
It is packaged for Debian, and I am working on the Fedora packaging
(on review state).

Kushal
-- 
CPython Core Developer
Director, Python Software Foundation
https://kushaldas.in
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 11:16 GMT+01:00 Kushal Das :
> On a related note, we should ask all committers to enable 2FA and then
> make the organization to 2FA only on github. That is a standard policy of
> many organizations on github.

The first step for that would be to have an idea of how many core
developers are using 2-factor auth. Administrators of the Python
organization on GitHub are allowed to see that.

Victor
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 11:27, Kushal Das  wrote:
> On Mon, Dec 11, 2017 at 4:44 PM, Paul Moore  wrote:
>> On 11 December 2017 at 10:16, Kushal Das  wrote:
>>> On a related note, we should ask all committers to enable 2FA and then
>>> make the organization to 2FA only on github. That is a standard policy of
>>> many organizations on github.
>>
>> Before making such a requirement, we should ensure that doing so
>> doesn't harm usability. For example, I have no idea how 2FA would work
>> in conjunction with the command line git client on Windows,
>> particularly in terms of *not* prompting on every single activity, but
>> caching authentication appropriately. Also we should ensure that there
>> are viable 2FA options for people in places where mobile phone signals
>> are unreliable or unavailable (I come into that category :-()
>>
>> Basically, before making such a change, let's ensure it doesn't do
>> more harm than good.
>>
> Understood, the git command line tools work based on your ssh authentication.
> 2FA will only take place in case of user login using username/password.

Um, I use https not ssh, as for at least some of the time I'm behind a
firewall that only allows https, not ssh traffic. (I know, I'm sorry -
I can probably be the worst possible corner case for *any* suggestion
that gets made :-))

Paul

PS I'm not against the idea as a recommended practice - just concerned
about making it mandatory.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email


> On Dec 11, 2017, at 7:03 AM, Paul Moore  wrote:
> 
> Um, I use https not ssh, as for at least some of the time I'm behind a
> firewall that only allows https, not ssh traffic. (I know, I'm sorry -
> I can probably be the worst possible corner case for *any* suggestion
> that gets made :-))


https://help.github.com/articles/providing-your-2fa-authentication-code/#through-the-command-line
 
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 12:19:46PM +0100, Victor Stinner wrote:
> 2017-12-11 12:05 GMT+01:00 Stefan Krah :
> > https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise
> > https://gist.github.com/peternixey/1978249
> >
> > I'm pretty sure my long GitHub-only password is more secure than several
> > key-gen algorithms on smart cards ...
> 
> I wouldn't comment the attack on RSA SecurID, but I disagree that a
> single password is stronger than password + OTP.
> 
> The principle of the 2-factor auth is that the attacker has to break
> two auths rather than only one. So even if you break RSA SecurID, the
> hacker still has to break your ultra secure GitHub-only password ;-)

Well sure, but the bureaucracy increases and ultimately the entity being
protected is still a ruby on rails web app (at least that's what I have
heard, I may be wrong).

Ssh isn't available everywhere, I don't want to install an app or give
out my phone number to half of Silicon Valley [1].

Buying a GitHub-only sim card would be an option still...

Stefan Krah

[1] Which is probably the real reason why 2FA is so popular.

___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 13:29 GMT+01:00 Stefan Krah :
> Ssh isn't available everywhere, I don't want to install an app or give
> out my phone number to half of Silicon Valley [1].

SMS and FreeOTP are just a few options that you have to generate/get OTP.

I suggest to use Yubikey. It doesn't need to install an app or to give
your phone number, but it costs 50$. The advantage is that you can use
it to store your SSH and GPG keys.

See also https://www.u2fzero.com/ "A secure and open source 2 factor
authentication token. Designed to be affordable and reliable."

Victor
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email


Le 11/12/2017 à 13:47, Victor Stinner a écrit :
> 2017-12-11 13:29 GMT+01:00 Stefan Krah :
>> Ssh isn't available everywhere, I don't want to install an app or give
>> out my phone number to half of Silicon Valley [1].
> 
> SMS and FreeOTP are just a few options that you have to generate/get OTP.
> 
> I suggest to use Yubikey. It doesn't need to install an app or to give
> your phone number, but it costs 50$. The advantage is that you can use
> it to store your SSH and GPG keys.

Before recommending anything you/we should first give guidelines and
best practices for backup etc.

If you lose your 2FA device and don't have some kind of fallback your
accounts may be screwed.  As usual, security can conflict with usability
and the long-term availability of data.

Regards

Antoine.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 13:51 GMT+01:00 Antoine Pitrou :
> Before recommending anything you/we should first give guidelines and
> best practices for backup etc.
>
> If you lose your 2FA device and don't have some kind of fallback your
> accounts may be screwed.  As usual, security can conflict with usability
> and the long-term availability of data.

Hum, in my first email I wrote:

"""
* Enable 2-factor auth on GitHub and Bitbucket using Yubikey
* Print two-step recovery codes on paper and keep it safe somewhere
"""

Using multiple tokens reduces the risk of losing access to your account.

Victor
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 01:47:50PM +0100, Victor Stinner wrote:
> 2017-12-11 13:29 GMT+01:00 Stefan Krah :
> > Ssh isn't available everywhere, I don't want to install an app or give
> > out my phone number to half of Silicon Valley [1].
> 
> SMS and FreeOTP are just a few options that you have to generate/get OTP.
> 
> I suggest to use Yubikey. It doesn't need to install an app or to give
> your phone number, but it costs 50$. The advantage is that you can use
> it to store your SSH and GPG keys.

I'm not a fan of hardware key generation. :-)

https://en.wikipedia.org/wiki/YubiKey

"In October 2017, security researchers found a vulnerability (known as ROCA) in 
the implementation of RSA keypair generation in a cryptographic library used by 
a large number of Infineon security chips. The vulnerability allows an attacker 
to reconstruct the private key by using the public key.[18][19] All YubiKey 4, 
YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 4.3.4 are affected 
by this vulnerability.[20] Yubico publicized a tool to check if a Yubikey is 
affected and replaces affected tokens for free.[21]"

___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Le 11/12/2017 à 13:55, Victor Stinner a écrit :
> 2017-12-11 13:51 GMT+01:00 Antoine Pitrou :
>> Before recommending anything you/we should first give guidelines and
>> best practices for backup etc.
>>
>> If you lose your 2FA device and don't have some kind of fallback your
>> accounts may be screwed.  As usual, security can conflict with usability
>> and the long-term availability of data.
> 
> Hum, in my first email I wrote:
> 
> """
> * Enable 2-factor auth on GitHub and Bitbucket using Yubikey
> * Print two-step recovery codes on paper and keep it safe somewhere
> """
> 
> Using multiple tokens reduces the risk of losing access to your account.

I don't know what security experts think, but the idea of having to
print and keep around recovery codes (for each and every website I
enable 2FA on!) sounds completely braindead to me.
Do you expect to be able to find back a random piece of paper in 5
years?  I certainly don't.

Regards

Antoine.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Alex Gaynor

It's possible to generate a key on a regular computer and transfer it to a
YubiKey if you prefer. (It's not like software key generation has been
flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life).

Even if you're not going to put your SSH keys on a YubiKey, I _strongly_
encourage folks to get a Security Key (aka U2F device), of which YubiKeys
are one brand, and use it for 2FA with Google/Github/Facebook/etc. In
addition to (IMO) being more usable than Google Authenticator, Security
Keys are resistant to phishing, which is a huge win.

Alex

On Mon, Dec 11, 2017 at 7:57 AM, Stefan Krah  wrote:

> On Mon, Dec 11, 2017 at 01:47:50PM +0100, Victor Stinner wrote:
> > 2017-12-11 13:29 GMT+01:00 Stefan Krah :
> > > Ssh isn't available everywhere, I don't want to install an app or give
> > > out my phone number to half of Silicon Valley [1].
> >
> > SMS and FreeOTP are just a few options that you have to generate/get OTP.
> >
> > I suggest to use Yubikey. It doesn't need to install an app or to give
> > your phone number, but it costs 50$. The advantage is that you can use
> > it to store your SSH and GPG keys.
>
>
> I'm not a fan of hardware key generation. :-)
>
>
> https://en.wikipedia.org/wiki/YubiKey
>
> "In October 2017, security researchers found a vulnerability (known as
> ROCA) in the implementation of RSA keypair generation in a cryptographic
> library used by a large number of Infineon security chips. The
> vulnerability allows an attacker to reconstruct the private key by using
> the public key.[18][19] All YubiKey 4, YubiKey 4C, and YubiKey 4 nano
> within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability.[20]
> Yubico publicized a tool to check if a Yubikey is affected and replaces
> affected tokens for free.[21]"
>
>
>
>
> ___
> python-committers mailing list
> [email protected]
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 12:29, Donald Stufft  wrote:
>
> On Dec 11, 2017, at 7:03 AM, Paul Moore  wrote:
>
> Um, I use https not ssh, as for at least some of the time I'm behind a
> firewall that only allows https, not ssh traffic. (I know, I'm sorry -
> I can probably be the worst possible corner case for *any* suggestion
> that gets made :-))
>
>
>
> https://help.github.com/articles/providing-your-2fa-authentication-code/#through-the-command-line

I use username and password and git credential manager. Uses the OS
password store. I don't know of any way that 2FA integrates with that.
If someone can tell me how it does (and it's as unobtrusive as, say
gMail which only prompts me if I log on via a previously unused
machine) then that's fine. Otherwise not so much.

Paul
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 08:00:37AM -0500, Alex Gaynor wrote:
> It's possible to generate a key on a regular computer and transfer it to a
> YubiKey if you prefer. (It's not like software key generation has been
> flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life).

Thanks, I did not know that.

I'm still against overuse of public key cryptography (also in home
banking).  The reason is simply that *if* you're the victim of a
key generation screwup that is not yet publicly known, you have a lot
of explaining to do.

This is one of the standard reasons many cryptography experts give
against home banking using card readers.

It puts all the responsibility on the customer/user.

Stefan Krah

___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email


Le 11/12/2017 à 14:00, Alex Gaynor a écrit :
> It's possible to generate a key on a regular computer and transfer it to
> a YubiKey if you prefer. (It's not like software key generation has been
> flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life).

If I have my 2FA key on a regular computer (the same that runs my
password manager), is it still 2FA?

Regards

Antoine.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 14:07 GMT+01:00 Antoine Pitrou :
> If I have my 2FA key on a regular computer (the same that runs my
> password manager), is it still 2FA?

It's still more secure than password only. If your password is leaked
by any mean, the 2FA still keeps you safe.

>From my point of view, the risk of password leak is much higher than a
compromise of your machine to steal your 2FA key. Passwords are
usually handled as text, you may paste it in the wrong field of a web
form, pass it as clear text (HTTP) by mistake, etc. 2FA key usually
use OTP: leaking an OTP is not an issue, since it's invalidated as
soon as you use it. The time window to hack your account is much
shorter.

It's not only a matter of 1-factor vs 2-factor, it's also the design
of OTP which is more secure than passwords.

It's always a matter of compromise between usability vs security.

Victor
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email


> On Dec 11, 2017, at 8:04 AM, Paul Moore  wrote:
> 
>> On 11 December 2017 at 12:29, Donald Stufft  wrote:
>> 
>> On Dec 11, 2017, at 7:03 AM, Paul Moore  wrote:
>> 
>> Um, I use https not ssh, as for at least some of the time I'm behind a
>> firewall that only allows https, not ssh traffic. (I know, I'm sorry -
>> I can probably be the worst possible corner case for *any* suggestion
>> that gets made :-))
>> 
>> 
>> 
>> https://help.github.com/articles/providing-your-2fa-authentication-code/#through-the-command-line
> 
> I use username and password and git credential manager. Uses the OS
> password store. I don't know of any way that 2FA integrates with that.
> If someone can tell me how it does (and it's as unobtrusive as, say
> gMail which only prompts me if I log on via a previously unused
> machine) then that's fine. Otherwise not so much.
> 
> Paul


Did you read the linked section? You generate a limited scope access token and 
use that in place of your password for command line usage via https.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 13:41, Donald Stufft  wrote:
>
>> On Dec 11, 2017, at 8:04 AM, Paul Moore  wrote:
>>
>>> On 11 December 2017 at 12:29, Donald Stufft  wrote:
>>>
>>> On Dec 11, 2017, at 7:03 AM, Paul Moore  wrote:
>>>
>>> Um, I use https not ssh, as for at least some of the time I'm behind a
>>> firewall that only allows https, not ssh traffic. (I know, I'm sorry -
>>> I can probably be the worst possible corner case for *any* suggestion
>>> that gets made :-))
>>>
>>>
>>>
>>> https://help.github.com/articles/providing-your-2fa-authentication-code/#through-the-command-line
>>
>> I use username and password and git credential manager. Uses the OS
>> password store. I don't know of any way that 2FA integrates with that.
>> If someone can tell me how it does (and it's as unobtrusive as, say
>> gMail which only prompts me if I log on via a previously unused
>> machine) then that's fine. Otherwise not so much.
>>
>> Paul
>
>
> Did you read the linked section? You generate a limited scope access token 
> and use that in place of your password for command line usage via https.

Maybe I didn't understand it. Doesn't that leave me in precisely the
same situation as a username/password, in that I have a single set of
credentials I can use? Or is the fact that it's tied to the specific
machine the point here? If so, then thanks, I can certainly use that
should someone decide that mandating 2FA is a good idea (I still
maintain that recommended but not mandatory is better, as my GH
account is not used solely for CPython development, so making such a
change has wider effects than just for this project).

Paul
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Chris Jerdonek

On Mon, Dec 11, 2017 at 4:58 AM, Victor Stinner
 wrote:
> ...
> Oh, my explanation makes the assumption that you all already enabled
> 2-factor auth on your email, right? :-) If you wasn't aware: email is
> simply the *most* critical part of your whole online data. If a hacker
> gets access to your email, you already lost all your online
> accounts...

Why do you say this? Can't this only be true for accounts that allow
password recovery / reset via email?

--Chris


>
> For Gmail users: you may have a look at
> https://myaccount.google.com/security as well. Maybe remove old
> services that have access to your Google account?
>
>
> After the hack, I also generated a new SSH key, even if it wasn't
> stored online and is encrypted by a passphrase. Just because I was
> using the same key since many years. I chose to use the new modern
> ed25519 key format. It uses an elliptic curve rather than RSA, it's a
> different kind of security. While I don't know if it's more secure, I
> read that it's faster :-)
>
> https://en.wikipedia.org/wiki/EdDSA
>
> I was able to use this new key formats on all services... except Launchpad.
>
> Changing a private SSH key isn't easy:
>
> * You have to install the new SSH on most services that you are using
> * You have to manually remove the old SSH key from *all* services that
> you are using (there is no global "SSH revokation" service...)
> * I used ~/.ssh/known_hosts to get most services, but also updated
> GitHub, Bitbucket, etc.
> * There are a few other services like psf-salt/psf-chef where you may
> also want to see your SSH key updated
> * The question is then if the old SSH key must be removed... the
> problem is that I never tried to keep track of services that I'm using
> through SSH, so I decided to keep the old SSH key (outside ~/.ssh). In
> practice, I'm only using my new SSH private since longer than 6 months
> and I was never blocked.
>
> I also had trouble to get working SSH agent on Gnome for my ed25519
> key, but I succeeded to enable the regular ssh-agent using systemd
> --user. Tell me if you want instructions for this part as well.
>
> Victor
> ___
> python-committers mailing list
> [email protected]
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

> On Dec 11, 2017, at 9:35 AM, Paul Moore  wrote:
> 
> Maybe I didn't understand it. Doesn't that leave me in precisely the
> same situation as a username/password, in that I have a single set of
> credentials I can use? Or is the fact that it's tied to the specific
> machine the point here? If so, then thanks, I can certainly use that
> should someone decide that mandating 2FA is a good idea (I still
> maintain that recommended but not mandatory is better, as my GH
> account is not used solely for CPython development, so making such a
> change has wider effects than just for this project).

It is true that this weakens the guarantees of 2fa (as does allowing 
authentication using a SSH key!). In general this trade off is worth it because 
the authority granted by those credentials is limited (in this case, I believe 
you can only push/pull with them, you can’t do anything else on the account) 
and they’re typically only used in contexts where leaking the credential is far 
far harder. As a bonus, they’re not going to be shared between multiple 
services.

So yea, it’s not as good as 2FA only everywhere, but the specific circumstances 
around these specific credentials makes it a reasonable usability trade off to 
allow them.___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 18:03, Donald Stufft  wrote:
> So yea, it’s not as good as 2FA only everywhere, but the specific
> circumstances around these specific credentials makes it a reasonable
> usability trade off to allow them.

Cool. Security is always a usability vs security trade-off, and the
main thing here is not to push the balance too far - we need to
consider the potential issue of putting people off from contributing
as well as the risk of security compromises. (Open source is a hobby
activity for me - when it starts to feel too much like the day job, I
start getting twitchy :-))

Paul
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Julien Palard via python-committers

Antoine Pitrou : 
> I don't know what security experts think, but the idea of having to
> print and keep around recovery codes (for each and every website I
> enable 2FA on!) sounds completely braindead to me.
> Do you expect to be able to find back a random piece of paper in 5
> years?  I certainly don't.

The basic idea of 2FA is to cumulate something you know and
something you have.

Recovery codes are on the "something you have" side, they are not a secret,
they are a possession, so it's completly OK to keep your recovery codes
in your wallet.

It's even a good practice to keep them in your wallet: You know where
they are and they're accessible. If you break the
"thing you have" you can still identify yourself even if you're out of
your house.

If you loose your wallet, (got it stolen, dropped in the ocean, whatever),
it's no big deal: just regenerate the codes, nobody know your password,
your security is not broken.

In other words, the thief stealing a wallet is not the guy stealing
password, so everything's good, and you have to regereate your recovery
codes faster than they can meet (should be easy).

To reply to you other answer, it's not really OK to store your password and
your 2FA generating program on the same hardware, it breaks the
"something you know and something you have" separation, it's reduced to 
something
you have, it does no longer need two clearly separated steps to be broken.

-- 
Julien Palard
https://mdk.fr

___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email


Hi Julien,

(and welcome on this list)

Le 11/12/2017 à 19:53, Julien Palard a écrit :
> 
> Recovery codes are on the "something you have" side, they are not a secret,
> they are a possession, so it's completly OK to keep your recovery codes
> in your wallet.

A random piece of paper in my wallet may not have an extremely long
lifetime (paper is fragile).  And *one* piece of paper might be ok, but
what if I need one for every 2FA-enabled Web site?

Regards

Antoine.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread R. David Murray

On Mon, 11 Dec 2017 18:14:41 +, Paul Moore  wrote:
> On 11 December 2017 at 18:03, Donald Stufft  wrote:
> > So yea, itâs not as good as 2FA only everywhere, but the specific
> > circumstances around these specific credentials makes it a reasonable
> > usability trade off to allow them.
> 
> Cool. Security is always a usability vs security trade-off, and the
> main thing here is not to push the balance too far - we need to
> consider the potential issue of putting people off from contributing
> as well as the risk of security compromises. (Open source is a hobby
> activity for me - when it starts to feel too much like the day job, I
> start getting twitchy :-))

Indeed.  If 2fa is required for contribution to CPython, I'll stop
contributing.  Granted, I haven't done many merges lately, but a few
is a bigger number than zero :)

--David
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Brett Cannon

On Mon, 11 Dec 2017 at 10:56 Antoine Pitrou  wrote:

>
> Hi Julien,
>
> (and welcome on this list)
>
> Le 11/12/2017 à 19:53, Julien Palard a écrit :
> >
> > Recovery codes are on the "something you have" side, they are not a
> secret,
> > they are a possession, so it's completly OK to keep your recovery codes
> > in your wallet.
>
> A random piece of paper in my wallet may not have an extremely long
> lifetime (paper is fragile).  And *one* piece of paper might be ok, but
> what if I need one for every 2FA-enabled Web site?
>

I print them out, trim the paper to just the codes to keep it small, and
keep the codes with my passport since I'm not about to lose track of that
important document. And there are only so many web sites that support 2FA
so the  number of pieces of paper isn't massive.
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

> On Dec 11, 2017, at 2:52 PM, R. David Murray  wrote:
> 
> If 2fa is required for contribution to CPython, I'll stop
> contributing. 

I’m curious why? I have it on and 99% of the time you don’t even notice because 
you’re already logged into GitHub and pushes/pulls don’t require it.___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Guido van Rossum

Whatever happens I don't want to lose core devs over this. (That said I
have 2fa on myself -- Dropbox pretty requires this -- and it's painless for
me. But I can totally understand that it's not the same experience for
everyone.)

On Mon, Dec 11, 2017 at 11:56 AM, Donald Stufft  wrote:

>
> On Dec 11, 2017, at 2:52 PM, R. David Murray 
> wrote:
>
> If 2fa is required for contribution to CPython, I'll stop
> contributing.
>
>
> I’m curious why? I have it on and 99% of the time you don’t even notice
> because you’re already logged into GitHub and pushes/pulls don’t require it.
>
> ___
> python-committers mailing list
> [email protected]
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>
>


-- 
--Guido van Rossum (python.org/~guido)
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Steve Dower

On 11Dec2017 0504, Paul Moore wrote:

On 11 December 2017 at 12:29, Donald Stufft wrote:

On Dec 11, 2017, at 7:03 AM, Paul Moore wrote:

Um, I use https not ssh, as for at least some of the time I'm behind a
firewall that only allows https, not ssh traffic. (I know, I'm sorry -
I can probably be the worst possible corner case for *any* suggestion
that gets made :-))

https://help.github.com/articles/providing-your-2fa-authentication-code/#through-the-command-line

I use username and password and git credential manager. Uses the OS
password store. I don't know of any way that 2FA integrates with that.
If someone can tell me how it does (and it's as unobtrusive as, say
gMail which only prompts me if I log on via a previously unused
machine) then that's fine. Otherwise not so much.

On Windows, recent versions of git will pop up GUI login prompt that can
do 2FA. Then it gets cached as normal (and may occasionally pop up again
when the token expires).

Make sure your copy of git is up to date (which you should do anyway
because of the recent vulnerabilities in submodule resolution) and then
2FA is totally doable.

(Only caveat, I get my copy of git for Windows via the VS 2017
installer. I'm pretty sure nothing extra gets added to this, but it's
possible that a special credential manager does.)

Cheers,
Steve
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread R. David Murray

On Mon, 11 Dec 2017 14:52:54 -0500, "R. David Murray"  
wrote:
> Indeed.  If 2fa is required for contribution to CPython, I'll stop
> contributing.  Granted, I haven't done many merges lately, but a few
> is a bigger number than zero :)

And in case you think this means I don't consider security important:
I have been using strong, unique-per-site passwords (and in many cases
unique usernames/emails) for many years, and I run my own email server.

--David

Aside: something I have never understood is the relatively recent
craze for enter-username-first-then-go-to-password-screen.  Most of the
implementations I have encountered tell you if the username is unknown.
That reduces the cracker's search space by a considerable amount.  Using
your email address as the account id has the same problem, magnified.
I had already started using unique usernames/emails before that trend
happened, to battle spam, but it certainly reinforced my motivation for
doing so.  I unfortunately haven't gotten around to backfilling a lot
of the sites I did sign up to using my primary email address :(
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Julien Palard via python-committers

Antoine Pitrou : 
> A random piece of paper in my wallet may not have an extremely long
> lifetime (paper is fragile).  And one piece of paper might be ok, but
> what if I need one for every 2FA-enabled Web site?

It's a legitimate question, so I'm taking mine out right now to check.

I use a single folded paper of like 20cm×10cm, so folded twice it take
less than a standard card, and it's in a good shape
as it's stored in a flat compartment of my wallet (I'm having
it since like 6 months, I do not remember the "bad shape" of my previous
one when I changed it).

I'm currently having 7 sevices on it, with 6 codes for each of them,
there's still room for 4 services if I dont start using both sides.
It's handwritten as I didn't had a printer at that time (yes, it's a PITA
to write them all, I now have a printer and try with it next time).

So from my point of view it's totally OK to store them as a folded sheet of
paper in a wallet, as long as you can print and cut them: I agree, handwriting
them is really something I would not recommend. Also, renewing all codes
(if your wallet get stolen) take a huge amount of time if you have codes for,
say more than 5 sevices, it's something to consider, but does not happen often.

While I'm at it, applications like Google Authenticator does *not* display 
favicon
or whatever, just the name of the service, it starts to be annoying up to 10
registered services (almost two screen long of OTP being generated).

Also, I consider receiving OTP over SMS a bad solution: you may not
receive them in some places or some countries besides being relatively easy
to intercept (by someone really wanting them, they could just buy a big wrench 
for $10
at this point).

-- 
Julien Palard
https://mdk.fr



___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread Alex Gaynor

The reason for the username-then-a-new-page-for-password flow in many cases
is that the sites have multiple flows depending on your username! The GMail
login page for example can send you to either the password page since
you're a consumer account, the password page because you're a GSuite
account using Google login, an off-site page since you're a GSuite using
SAML. (This is ignoring the need to choose 2FA flows -- TOTP vs SMS vs
Security Key!)

Alex

On Mon, Dec 11, 2017 at 3:11 PM, R. David Murray 
wrote:

> On Mon, 11 Dec 2017 14:52:54 -0500, "R. David Murray" <
> [email protected]> wrote:
> > Indeed.  If 2fa is required for contribution to CPython, I'll stop
> > contributing.  Granted, I haven't done many merges lately, but a few
> > is a bigger number than zero :)
>
> And in case you think this means I don't consider security important:
> I have been using strong, unique-per-site passwords (and in many cases
> unique usernames/emails) for many years, and I run my own email server.
>
> --David
>
> Aside: something I have never understood is the relatively recent
> craze for enter-username-first-then-go-to-password-screen.  Most of the
> implementations I have encountered tell you if the username is unknown.
> That reduces the cracker's search space by a considerable amount.  Using
> your email address as the account id has the same problem, magnified.
> I had already started using unique usernames/emails before that trend
> happened, to battle spam, but it certainly reinforced my motivation for
> doing so.  I unfortunately haven't gotten around to backfilling a lot
> of the sites I did sign up to using my primary email address :(
> ___
> python-committers mailing list
> [email protected]
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 Thread R. David Murray

On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft  wrote:
> 
> > On Dec 11, 2017, at 2:52 PM, R. David Murray  wrote:
> > 
> > If 2fa is required for contribution to CPython, I'll stop
> > contributing. 
> 
> Iâm curious why? I have it on and 99% of the time you donât even
> notice because youâre already logged into GitHub and pushes/pulls
> donât require it.

I had to use 2FA when working for a corporate client, and it was
very annoying.  The fact that pushes and pulls don't require it
helps, but also makes it considerably less important.

But I suppose that fundamentally I do not want my security tied to a
possession.

--David
___
python-committers mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email