On Mon, Dec 11, 2017 at 12:26 PM R. David Murray
wrote:
> On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft
> wrote:
> >
> > > On Dec 11, 2017, at 2:52 PM, R. David Murray
> wrote:
> > >
> > > If 2fa is required for contribution to CPython, I'll stop
> > > contributing.
> >
> > I’m curious why?
On 11 December 2017 at 20:15, Julien Palard via python-committers
wrote:
> Antoine Pitrou :
>> A random piece of paper in my wallet may not have an extremely long
>> lifetime (paper is fragile). And one piece of paper might be ok, but
>> what if I need one for every 2FA-enabled Web site?
>
> It's
On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft wrote:
>
> > On Dec 11, 2017, at 2:52 PM, R. David Murray wrote:
> >
> > If 2fa is required for contribution to CPython, I'll stop
> > contributing.
>
> Iâm curious why? I have it on and 99% of the time you donât even
> notice because youâ
The reason for the username-then-a-new-page-for-password flow in many cases
is that the sites have multiple flows depending on your username! The GMail
login page for example can send you to either the password page since
you're a consumer account, the password page because you're a GSuite
account
Antoine Pitrou :
> A random piece of paper in my wallet may not have an extremely long
> lifetime (paper is fragile). And one piece of paper might be ok, but
> what if I need one for every 2FA-enabled Web site?
It's a legitimate question, so I'm taking mine out right now to check.
I use a singl
On Mon, 11 Dec 2017 14:52:54 -0500, "R. David Murray"
wrote:
> Indeed. If 2fa is required for contribution to CPython, I'll stop
> contributing. Granted, I haven't done many merges lately, but a few
> is a bigger number than zero :)
And in case you think this means I don't consider security im
On 11Dec2017 0504, Paul Moore wrote:
On 11 December 2017 at 12:29, Donald Stufft wrote:
On Dec 11, 2017, at 7:03 AM, Paul Moore wrote:
Um, I use https not ssh, as for at least some of the time I'm behind a
firewall that only allows https, not ssh traffic. (I know, I'm sorry -
I can probably
Whatever happens I don't want to lose core devs over this. (That said I
have 2fa on myself -- Dropbox pretty requires this -- and it's painless for
me. But I can totally understand that it's not the same experience for
everyone.)
On Mon, Dec 11, 2017 at 11:56 AM, Donald Stufft wrote:
>
> On Dec
> On Dec 11, 2017, at 2:52 PM, R. David Murray wrote:
>
> If 2fa is required for contribution to CPython, I'll stop
> contributing.
I’m curious why? I have it on and 99% of the time you don’t even notice because
you’re already logged into GitHub and pushes/pulls don’t require it._
On Mon, 11 Dec 2017 at 10:56 Antoine Pitrou wrote:
>
> Hi Julien,
>
> (and welcome on this list)
>
> Le 11/12/2017 à 19:53, Julien Palard a écrit :
> >
> > Recovery codes are on the "something you have" side, they are not a
> secret,
> > they are a possession, so it's completly OK to keep your re
On Mon, 11 Dec 2017 18:14:41 +, Paul Moore wrote:
> On 11 December 2017 at 18:03, Donald Stufft wrote:
> > So yea, itâs not as good as 2FA only everywhere, but the specific
> > circumstances around these specific credentials makes it a reasonable
> > usability trade off to allow them.
>
>
Hi Julien,
(and welcome on this list)
Le 11/12/2017 à 19:53, Julien Palard a écrit :
>
> Recovery codes are on the "something you have" side, they are not a secret,
> they are a possession, so it's completly OK to keep your recovery codes
> in your wallet.
A random piece of paper in my wallet
Antoine Pitrou :
> I don't know what security experts think, but the idea of having to
> print and keep around recovery codes (for each and every website I
> enable 2FA on!) sounds completely braindead to me.
> Do you expect to be able to find back a random piece of paper in 5
> years? I certainl
On 11 December 2017 at 18:03, Donald Stufft wrote:
> So yea, it’s not as good as 2FA only everywhere, but the specific
> circumstances around these specific credentials makes it a reasonable
> usability trade off to allow them.
Cool. Security is always a usability vs security trade-off, and the
m
> On Dec 11, 2017, at 9:35 AM, Paul Moore wrote:
>
> Maybe I didn't understand it. Doesn't that leave me in precisely the
> same situation as a username/password, in that I have a single set of
> credentials I can use? Or is the fact that it's tied to the specific
> machine the point here? If so
On Mon, Dec 11, 2017 at 4:58 AM, Victor Stinner
wrote:
> ...
> Oh, my explanation makes the assumption that you all already enabled
> 2-factor auth on your email, right? :-) If you wasn't aware: email is
> simply the *most* critical part of your whole online data. If a hacker
> gets access to your
On 11 December 2017 at 13:41, Donald Stufft wrote:
>
>> On Dec 11, 2017, at 8:04 AM, Paul Moore wrote:
>>
>>> On 11 December 2017 at 12:29, Donald Stufft wrote:
>>>
>>> On Dec 11, 2017, at 7:03 AM, Paul Moore wrote:
>>>
>>> Um, I use https not ssh, as for at least some of the time I'm behind a
> On Dec 11, 2017, at 8:04 AM, Paul Moore wrote:
>
>> On 11 December 2017 at 12:29, Donald Stufft wrote:
>>
>> On Dec 11, 2017, at 7:03 AM, Paul Moore wrote:
>>
>> Um, I use https not ssh, as for at least some of the time I'm behind a
>> firewall that only allows https, not ssh traffic. (I k
2017-12-11 14:07 GMT+01:00 Antoine Pitrou :
> If I have my 2FA key on a regular computer (the same that runs my
> password manager), is it still 2FA?
It's still more secure than password only. If your password is leaked
by any mean, the 2FA still keeps you safe.
>From my point of view, the risk o
Le 11/12/2017 à 14:00, Alex Gaynor a écrit :
> It's possible to generate a key on a regular computer and transfer it to
> a YubiKey if you prefer. (It's not like software key generation has been
> flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life).
If I have my 2FA key on a regular
On Mon, Dec 11, 2017 at 08:00:37AM -0500, Alex Gaynor wrote:
> It's possible to generate a key on a regular computer and transfer it to a
> YubiKey if you prefer. (It's not like software key generation has been
> flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life).
Thanks, I did not k
On 11 December 2017 at 12:29, Donald Stufft wrote:
>
> On Dec 11, 2017, at 7:03 AM, Paul Moore wrote:
>
> Um, I use https not ssh, as for at least some of the time I'm behind a
> firewall that only allows https, not ssh traffic. (I know, I'm sorry -
> I can probably be the worst possible corner c
It's possible to generate a key on a regular computer and transfer it to a
YubiKey if you prefer. (It's not like software key generation has been
flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life).
Even if you're not going to put your SSH keys on a YubiKey, I _strongly_
encourage fol
Le 11/12/2017 à 13:55, Victor Stinner a écrit :
> 2017-12-11 13:51 GMT+01:00 Antoine Pitrou :
>> Before recommending anything you/we should first give guidelines and
>> best practices for backup etc.
>>
>> If you lose your 2FA device and don't have some kind of fallback your
>> accounts may be scr
On Mon, Dec 11, 2017 at 01:47:50PM +0100, Victor Stinner wrote:
> 2017-12-11 13:29 GMT+01:00 Stefan Krah :
> > Ssh isn't available everywhere, I don't want to install an app or give
> > out my phone number to half of Silicon Valley [1].
>
> SMS and FreeOTP are just a few options that you have to g
2017-12-11 13:51 GMT+01:00 Antoine Pitrou :
> Before recommending anything you/we should first give guidelines and
> best practices for backup etc.
>
> If you lose your 2FA device and don't have some kind of fallback your
> accounts may be screwed. As usual, security can conflict with usability
>
Le 11/12/2017 à 13:47, Victor Stinner a écrit :
> 2017-12-11 13:29 GMT+01:00 Stefan Krah :
>> Ssh isn't available everywhere, I don't want to install an app or give
>> out my phone number to half of Silicon Valley [1].
>
> SMS and FreeOTP are just a few options that you have to generate/get OTP.
2017-12-11 13:29 GMT+01:00 Stefan Krah :
> Ssh isn't available everywhere, I don't want to install an app or give
> out my phone number to half of Silicon Valley [1].
SMS and FreeOTP are just a few options that you have to generate/get OTP.
I suggest to use Yubikey. It doesn't need to install an
On Mon, Dec 11, 2017 at 12:19:46PM +0100, Victor Stinner wrote:
> 2017-12-11 12:05 GMT+01:00 Stefan Krah :
> > https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise
> > https://gist.github.com/peternixey/1978249
> >
> > I'm pretty sure my long GitHub-only password is more secure th
> On Dec 11, 2017, at 7:03 AM, Paul Moore wrote:
>
> Um, I use https not ssh, as for at least some of the time I'm behind a
> firewall that only allows https, not ssh traffic. (I know, I'm sorry -
> I can probably be the worst possible corner case for *any* suggestion
> that gets made :-))
htt
On 11 December 2017 at 11:27, Kushal Das wrote:
> On Mon, Dec 11, 2017 at 4:44 PM, Paul Moore wrote:
>> On 11 December 2017 at 10:16, Kushal Das wrote:
>>> On a related note, we should ask all committers to enable 2FA and then
>>> make the organization to 2FA only on github. That is a standard p
2017-12-11 11:16 GMT+01:00 Kushal Das :
> On a related note, we should ask all committers to enable 2FA and then
> make the organization to 2FA only on github. That is a standard policy of
> many organizations on github.
The first step for that would be to have an idea of how many core
developers
On Mon, Dec 11, 2017 at 4:44 PM, Paul Moore wrote:
> On 11 December 2017 at 10:16, Kushal Das wrote:
>> On a related note, we should ask all committers to enable 2FA and then
>> make the organization to 2FA only on github. That is a standard policy of
>> many organizations on github.
>
> Before m
2017-12-11 12:05 GMT+01:00 Stefan Krah :
> https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise
> https://gist.github.com/peternixey/1978249
>
> I'm pretty sure my long GitHub-only password is more secure than several
> key-gen algorithms on smart cards ...
I wouldn't comment the
On 11 December 2017 at 10:16, Kushal Das wrote:
> On a related note, we should ask all committers to enable 2FA and then
> make the organization to 2FA only on github. That is a standard policy of
> many organizations on github.
Before making such a requirement, we should ensure that doing so
doe
On Mon, Dec 11, 2017 at 03:46:23PM +0530, Kushal Das wrote:
> On a related note, we should ask all committers to enable 2FA and then
> make the organization to 2FA only on github. That is a standard policy of
> many organizations on github.
https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_syst
On Mon, Dec 11, 2017 at 3:28 PM, Victor Stinner
wrote:
> Hi,
>
>
> The next step was to enable 2-factor authentication on GitHub and Bitbucket:
>
> * Configure the yubikey to generate an OTP for GitHub (for "long
> press" on the key)
> * Firefox: install
> https://addons.mozilla.org/fr/firefox/ad
Le 11/12/2017 à 10:58, Victor Stinner a écrit :
>
> I also had trouble to get working SSH agent on Gnome for my ed25519
> key, but I succeeded to enable the regular ssh-agent using systemd
> --user. Tell me if you want instructions for this part as well.
Blame gnome-keyring for this:
https://bug
Hi,
On 12 February 2017, I got an email from Bitbucket: "we detected a
suspicious login to your Bitbucket Cloud account. We believe that a
malicious actor used a large database of usernames and passwords
stolen from third party services to access Bitbucket Cloud accounts.
We can't know exactly how
39 matches
Mail list logo
