Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Thanks -- I'll pass it along to the team working on U2F at Mozilla. Alex On Sun, Jan 7, 2018 at 11:42 AM, Antoine Pitrou wrote: > > It turns out that is a bug with Ubuntu's package for Firefox. It works > fine with the upstream build... :-( > >

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

It turns out that is a bug with Ubuntu's package for Firefox. It works fine with the upstream build... :-( https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1741768 Regards Antoine. Le 06/01/2018 à 20:42, Barry Warsaw a écrit : > On Jan 6, 2018, at 14:00, Alex Gaynor

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Jan 6, 2018, at 14:00, Alex Gaynor wrote: > > Hey Antoine, > > Assuming you're on Firefox57, it requires a pref -- once the WebAuthn spec is > finalized we'll drop the pref -- > https://mobile.twitter.com/jamespugjones/status/91231495223226 Oh wow, this is

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Le 06/01/2018 à 20:04, Antoine Pitrou a écrit : > > I have AppArmor enabled on Firefox, I may try to disable it. ... Nothing changed unfortunately. Regards Antoine. ___ python-committers mailing list python-committers@python.org

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Le 06/01/2018 à 20:00, Alex Gaynor a écrit : > Hey Antoine, > > Assuming you're on Firefox57, it requires a pref -- once the WebAuthn > spec is finalized we'll drop the pref > -- https://mobile.twitter.com/jamespugjones/status/91231495223226 Yes, I already did so... I'm using

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Sun, Jan 7, 2018 at 12:29 AM, Antoine Pitrou wrote: > > Hi, > > So, for the record (even though this discussion has petered out), I've > just bought a U2F key and it doesn't work on Ubuntu Firefox (though it > works on Chromium). So it's pretty much unusable for me. > You

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Hey Antoine, Assuming you're on Firefox57, it requires a pref -- once the WebAuthn spec is finalized we'll drop the pref -- https://mobile.twitter.com/jamespugjones/status/91231495223226 Alex On Sat, Jan 6, 2018 at 1:59 PM, Antoine Pitrou wrote: > > Hi, > > So, for the

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Hi, So, for the record (even though this discussion has petered out), I've just bought a U2F key and it doesn't work on Ubuntu Firefox (though it works on Chromium). So it's pretty much unusable for me. Regards Antoine. ___ python-committers mailing

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

They require a preference to be enabled, but yeah, Security Keys in Firefox Quantum  https://mobile.twitter.com/jamespugjones/status/91231495223226 Alex On Tue, Dec 12, 2017 at 11:21 AM, Antoine Pitrou wrote: > > If some people are inclined to push for 2FA, I think it

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

If some people are inclined to push for 2FA, I think it would be more productive to write some kind of document giving advice and suggestions and addressing all potential issues (such as backups, cross-platform compatibility, software integration with various tools, etc.). For example I have 2FA

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Tue, Dec 12, 2017, 05:07 M.-A. Lemburg, wrote: > I'm with David on this one. 2FA is good for admin accounts, but > doesn't add much protection for regular committers. Think of what > you're trying to protect against: git checkins are all audited and > can easily be undone. >

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Tue, Dec 12, 2017 at 02:04:42PM +0100, Christian Heimes wrote: > If you don't the trust closed-source Yubico hardware, there is plenty of > other hardware out. https://www.nitrokey.com/ is good German engineering > with fully open-sourced hardware and software. > > Adam has compiled a nice

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 2017-12-12 02:17, Gregory P. Smith wrote: > On Mon, Dec 11, 2017 at 12:26 PM R. David Murray > wrote: > > On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft > wrote: > > > > > On

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

I'm with David on this one. 2FA is good for admin accounts, but doesn't add much protection for regular committers. Think of what you're trying to protect against: git checkins are all audited and can easily be undone. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 17:19 GMT+01:00 Chris Jerdonek : > Why do you say this? Can't this only be true for accounts that allow > password recovery / reset via email? > > --Chris While I didn't check, but I'm quite sure that the email quickly enters into the play when you want to

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 12:26 PM R. David Murray wrote: > On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft > wrote: > > > > > On Dec 11, 2017, at 2:52 PM, R. David Murray > wrote: > > > > > > If 2fa is required for contribution

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft wrote: > > > On Dec 11, 2017, at 2:52 PM, R. David Murray wrote: > > > > If 2fa is required for contribution to CPython, I'll stop > > contributing. > > I’m curious why? I have it on and 99% of the

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

The reason for the username-then-a-new-page-for-password flow in many cases is that the sites have multiple flows depending on your username! The GMail login page for example can send you to either the password page since you're a consumer account, the password page because you're a GSuite account

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Antoine Pitrou : > A random piece of paper in my wallet may not have an extremely long > lifetime (paper is fragile). And one piece of paper might be ok, but > what if I need one for every 2FA-enabled Web site? It's a legitimate question, so I'm taking mine out right now to

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, 11 Dec 2017 14:52:54 -0500, "R. David Murray" wrote: > Indeed. If 2fa is required for contribution to CPython, I'll stop > contributing. Granted, I haven't done many merges lately, but a few > is a bigger number than zero :) And in case you think this means I

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11Dec2017 0504, Paul Moore wrote: On 11 December 2017 at 12:29, Donald Stufft wrote: On Dec 11, 2017, at 7:03 AM, Paul Moore wrote: Um, I use https not ssh, as for at least some of the time I'm behind a firewall that only allows https, not ssh

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Whatever happens I don't want to lose core devs over this. (That said I have 2fa on myself -- Dropbox pretty requires this -- and it's painless for me. But I can totally understand that it's not the same experience for everyone.) On Mon, Dec 11, 2017 at 11:56 AM, Donald Stufft

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

> On Dec 11, 2017, at 2:52 PM, R. David Murray wrote: > > If 2fa is required for contribution to CPython, I'll stop > contributing. I’m curious why? I have it on and 99% of the time you don’t even notice because you’re already logged into GitHub and pushes/pulls don’t

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, 11 Dec 2017 at 10:56 Antoine Pitrou wrote: > > Hi Julien, > > (and welcome on this list) > > Le 11/12/2017 à 19:53, Julien Palard a écrit : > > > > Recovery codes are on the "something you have" side, they are not a > secret, > > they are a possession, so it's

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, 11 Dec 2017 18:14:41 +, Paul Moore wrote: > On 11 December 2017 at 18:03, Donald Stufft wrote: > > So yea, it’s not as good as 2FA only everywhere, but the specific > > circumstances around these specific credentials makes it a reasonable > >

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Hi Julien, (and welcome on this list) Le 11/12/2017 à 19:53, Julien Palard a écrit : > > Recovery codes are on the "something you have" side, they are not a secret, > they are a possession, so it's completly OK to keep your recovery codes > in your wallet. A random piece of paper in my wallet

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Antoine Pitrou : > I don't know what security experts think, but the idea of having to > print and keep around recovery codes (for each and every website I > enable 2FA on!) sounds completely braindead to me. > Do you expect to be able to find back a random piece of paper in 5

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

> On Dec 11, 2017, at 9:35 AM, Paul Moore wrote: > > Maybe I didn't understand it. Doesn't that leave me in precisely the > same situation as a username/password, in that I have a single set of > credentials I can use? Or is the fact that it's tied to the specific > machine

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 4:58 AM, Victor Stinner wrote: > ... > Oh, my explanation makes the assumption that you all already enabled > 2-factor auth on your email, right? :-) If you wasn't aware: email is > simply the *most* critical part of your whole online data. If a

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

> On Dec 11, 2017, at 8:04 AM, Paul Moore wrote: > >> On 11 December 2017 at 12:29, Donald Stufft wrote: >> >> On Dec 11, 2017, at 7:03 AM, Paul Moore wrote: >> >> Um, I use https not ssh, as for at least some of the time I'm

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 14:07 GMT+01:00 Antoine Pitrou : > If I have my 2FA key on a regular computer (the same that runs my > password manager), is it still 2FA? It's still more secure than password only. If your password is leaked by any mean, the 2FA still keeps you safe. >From my

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Le 11/12/2017 à 14:00, Alex Gaynor a écrit : > It's possible to generate a key on a regular computer and transfer it to > a YubiKey if you prefer. (It's not like software key generation has been > flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life). If I have my 2FA key on a regular

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 08:00:37AM -0500, Alex Gaynor wrote: > It's possible to generate a key on a regular computer and transfer it to a > YubiKey if you prefer. (It's not like software key generation has been > flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life). Thanks, I did not

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 12:29, Donald Stufft wrote: > > On Dec 11, 2017, at 7:03 AM, Paul Moore wrote: > > Um, I use https not ssh, as for at least some of the time I'm behind a > firewall that only allows https, not ssh traffic. (I know, I'm sorry - > I can

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

Le 11/12/2017 à 13:55, Victor Stinner a écrit : > 2017-12-11 13:51 GMT+01:00 Antoine Pitrou : >> Before recommending anything you/we should first give guidelines and >> best practices for backup etc. >> >> If you lose your 2FA device and don't have some kind of fallback your

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 01:47:50PM +0100, Victor Stinner wrote: > 2017-12-11 13:29 GMT+01:00 Stefan Krah : > > Ssh isn't available everywhere, I don't want to install an app or give > > out my phone number to half of Silicon Valley [1]. > > SMS and FreeOTP are just a few

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 13:51 GMT+01:00 Antoine Pitrou : > Before recommending anything you/we should first give guidelines and > best practices for backup etc. > > If you lose your 2FA device and don't have some kind of fallback your > accounts may be screwed. As usual, security can

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 13:29 GMT+01:00 Stefan Krah : > Ssh isn't available everywhere, I don't want to install an app or give > out my phone number to half of Silicon Valley [1]. SMS and FreeOTP are just a few options that you have to generate/get OTP. I suggest to use Yubikey. It

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 12:19:46PM +0100, Victor Stinner wrote: > 2017-12-11 12:05 GMT+01:00 Stefan Krah : > > https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise > > https://gist.github.com/peternixey/1978249 > > > > I'm pretty sure my long GitHub-only

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

> On Dec 11, 2017, at 7:03 AM, Paul Moore wrote: > > Um, I use https not ssh, as for at least some of the time I'm behind a > firewall that only allows https, not ssh traffic. (I know, I'm sorry - > I can probably be the worst possible corner case for *any* suggestion >

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 11:27, Kushal Das wrote: > On Mon, Dec 11, 2017 at 4:44 PM, Paul Moore wrote: >> On 11 December 2017 at 10:16, Kushal Das wrote: >>> On a related note, we should ask all committers to enable 2FA and then >>>

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 11:16 GMT+01:00 Kushal Das : > On a related note, we should ask all committers to enable 2FA and then > make the organization to 2FA only on github. That is a standard policy of > many organizations on github. The first step for that would be to have an idea of how

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 4:44 PM, Paul Moore wrote: > On 11 December 2017 at 10:16, Kushal Das wrote: >> On a related note, we should ask all committers to enable 2FA and then >> make the organization to 2FA only on github. That is a standard policy of >>

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-11 12:05 GMT+01:00 Stefan Krah : > https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise > https://gist.github.com/peternixey/1978249 > > I'm pretty sure my long GitHub-only password is more secure than several > key-gen algorithms on smart cards ...

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On 11 December 2017 at 10:16, Kushal Das wrote: > On a related note, we should ask all committers to enable 2FA and then > make the organization to 2FA only on github. That is a standard policy of > many organizations on github. Before making such a requirement, we should

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 03:46:23PM +0530, Kushal Das wrote: > On a related note, we should ask all committers to enable 2FA and then > make the organization to 2FA only on github. That is a standard policy of > many organizations on github.

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

On Mon, Dec 11, 2017 at 3:28 PM, Victor Stinner wrote: > Hi, > > > The next step was to enable 2-factor authentication on GitHub and Bitbucket: > > * Configure the yubikey to generate an OTP for GitHub (for "long > press" on the key) > * Firefox: install >

[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Hi, On 12 February 2017, I got an email from Bitbucket: "we detected a suspicious login to your Bitbucket Cloud account. We believe that a malicious actor used a large database of usernames and passwords stolen from third party services to access Bitbucket Cloud accounts. We can't know exactly