[python-committers] Re: Please make sure you're following good security practices with your GitHub account

There’s another possible explanation. This mailing list is archived and the archives are publicly readable. On Tue, Jun 29, 2021 at 22:07 Tim Peters wrote: > Just for interest, I noticed a failed login attempt to my Github > account about two hours ago, originating in Toronto. > > That's the

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

Just for interest, I noticed a failed login attempt to my Github account about two hours ago, originating in Toronto. That's the first fishy thing Github's security log ever showed for my account. I do have 2FA enabled there now, so I'm not worried. Coincidence? About a week after I enabled 2FA

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

FYI, after getting nudged by Jack Jansen (thanks!), I'm using 2FA on GIthub now. If I can do it, anyone can. On WIndows desktop, no smart phone, no cell phone, no QR code scanner. Using Authy (free), which did one setup step via a landline phone call instead (Authy does demand to know _a_ phone

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

Le 6/16/21 à 10:50 AM, Antoine Pitrou a écrit : > It's as reliable as printing passwords on a piece of paper, isn't it? The password is *something you know*, so we (all?) agree: printing it is a bad idea. The 2nd factor is *something you have*, so printing them is not an issue, and having them

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

On 16/06/2021 10.50, Antoine Pitrou wrote: > > Le 16/06/2021 à 10:33, Christian Heimes a écrit : >> On 16/06/2021 07.14, Julien Palard via python-committers wrote: >>> I do use a Yubikey too. >>> >>> Le 6/14/21 à 11:27 PM, Tim Peters a écrit : If I buy one and plug it in, and that's the end

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

Le 16/06/2021 à 07:14, Julien Palard via python-committers a écrit : I do use a Yubikey too. Le 6/14/21 à 11:27 PM, Tim Peters a écrit : If I buy one and plug it in, and that's the end of it, fine by me That's almost as simple as you want: - In Github settings 2FA tab you'll have to hit a

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

Le 16/06/2021 à 10:33, Christian Heimes a écrit : On 16/06/2021 07.14, Julien Palard via python-committers wrote: I do use a Yubikey too. Le 6/14/21 à 11:27 PM, Tim Peters a écrit : If I buy one and plug it in, and that's the end of it, fine by me That's almost as simple as you want: - In

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

On 16/06/2021 07.14, Julien Palard via python-committers wrote: > I do use a Yubikey too. > > Le 6/14/21 à 11:27 PM, Tim Peters a écrit : >> If I buy one and plug it in, and that's the end of it, fine by me > > That's almost as simple as you want: > > - In Github settings 2FA tab you'll have to

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

Something I'd like to add to the discussion: 2FA on Github only applies to the website, not the SSH access:

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

On Wed, 16 Jun 2021 at 06:15, Julien Palard via python-committers wrote: > > I do use a Yubikey too. I'm not particularly bothered by the debate over 2FA (I have a 2FA app on my phone that I use and that's sufficient) but I'd like to offer a counter argument to everyone saying Yubikeys are a

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

I do use a Yubikey too. Le 6/14/21 à 11:27 PM, Tim Peters a écrit : > If I buy one and plug it in, and that's the end of it, fine by me That's almost as simple as you want: - In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

On Tue, Jun 15, 2021 at 11:08 AM Mariatta wrote: > Thanks for sharing your experience, and I think it's important for us core > developers to be careful and vigilant about this. > > I was wondering if we should add under the "core developers > responsibility" section ( >

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

On Tue, Jun 15, 2021 at 2:08 PM Mariatta wrote: > Thanks for sharing your experience, and I think it's important for us core > developers to be careful and vigilant about this. > Work picked up hardware fobs from Deepnet Security for a lower price. We paid about $16 apiece for 20, but had to

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

Thanks for sharing your experience, and I think it's important for us core developers to be careful and vigilant about this. I was wondering if we should add under the "core developers responsibility" section (https://devguide.python.org/coredev/#responsibilities), about securing their GitHub

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

I use a mobile device to store TOTP tokens (one time use passcodes), but as I also wish to use my workstation device to generate these tokens, I’ve historically used a tool called oathtool to generate these one time tokens (from a stored secret), but due to

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

On 6/14/2021 3:38 PM, Brett Cannon wrote: I have discovered someone tried to break into my GitHub account (you can check yourself by going to https://github.com/settings/security-log and looking for "failed to login" attempts for potentially odd

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

> On Jun 14, 2021, at 5:27 PM, Tim Peters wrote: > > [Donald Stufft ] >> You can a Yubikey for like $15? or so and use that for best in class 2fa. >> >> You can also get an app for your desktop PC that can do TOTP codes >> (1Password has it built in, I’ve never used any of these applications

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

On 6/14/2021 5:06 PM, Donald Stufft wrote: On Amazon, Yubikey is $45-55 for 3 kinds of interfaces. One must buy the right one. And then configure with each remote account. Picture show usb-c keys plugged into laptops. but desktops and monitors with usb have standard usb-2/3 ports. Fido

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

[Donald Stufft ] > You can a Yubikey for like $15? or so and use that for best in class 2fa. > > You can also get an app for your desktop PC that can do TOTP codes > (1Password has it built in, I’ve never used any of these applications > though). Thanks! Alas, it's all utter gibberish to me.

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

> On Jun 14, 2021, at 5:02 PM, Tim Peters wrote: > > [Brett] >> ... >> Please make sure you have a unique password for your GitHub account >> and that you have 2FA/MFA turned on (I honestly think we should start >> requiring this ... > > I use 2FA on sites that cater to my reality ;-) That

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

[Brett] > ... > Please make sure you have a unique password for your GitHub account > and that you have 2FA/MFA turned on (I honestly think we should start > requiring this ... I use 2FA on sites that cater to my reality ;-) That is, I don't have a smartphone, or a cell phone of any kind, or any

[python-committers] Re: Please make sure you're following good security practices with your GitHub account

See also https://discuss.python.org/t/remove-coordinator-role-of-inactive-coordinators-on-bugs-python-org/866 for the security of bugs.python.org. So far, no action was taken. Inactive coordinators kept their permission. For GitHub, I'm using a Yubikey and FreeOTP for the 2FA. Victor On Mon,