Both issues. As for the # of rounds for bcrypt: yes, it should be increased; but maxing somewhere reasonable - 250+ ms for calculation is probably "OK" but it's going to be trivial to DoS unless this merge request also comes with all the other things you propose (rate limiting, etc).
If we increase the # of bcrypt rounds without simultaneously fixing the potential DoS we're stabbing ourselves in the face, not making it more secure. On Monday, February 11, 2013 at 5:31 AM, Giovanni Bajo wrote: > On what? On using bcrypt with 1ms computation time? Or on the migration path? > Those are the two issues at discussion. > > Il giorno 11/feb/2013, alle ore 11:06, Jesse Noller <[email protected] > (mailto:[email protected])> ha scritto: > > > That's disappointing - Christian is correct > > > > On Feb 11, 2013, at 3:39 AM, Richard Jones <[email protected] > > (mailto:[email protected])> wrote: > > > > > Given the discussion on the pull request I think I'll hold off. There > > > seems to be some question regarding its appropriateness which I'm not > > > really in a position to judge. > > > > > > > > > Richard > > > > > > On 10 February 2013 21:57, Richard Jones <[email protected] > > > (mailto:[email protected])> wrote: > > > > Thanks, I'll be reviewing that tomorrow if Martin doesn't beat me to it. > > > > > > > > > > > > Richard > > > > > > > > On 10 February 2013 14:26, Giovanni Bajo <[email protected] > > > > (mailto:[email protected])> wrote: > > > > > Hi, > > > > > > > > > > I went ahead with an important task in my security design doc: > > > > > migration of PyPI to bcrypt. > > > > > > > > > > This is the pull request: > > > > > https://bitbucket.org/loewis/pypi/pull-request/2/use-bcrypt-instead-of-unsalted-sha1/diff > > > > > > > > > > -- > > > > > Giovanni Bajo :: [email protected] (mailto:[email protected]) > > > > > Develer S.r.l. :: http://www.develer.com > > > > > > > > > > My Blog: http://giovanni.bajo.it > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Catalog-SIG mailing list > > > > > [email protected] (mailto:[email protected]) > > > > > http://mail.python.org/mailman/listinfo/catalog-sig > > > > > > > > > > > > > _______________________________________________ > > > Catalog-SIG mailing list > > > [email protected] (mailto:[email protected]) > > > http://mail.python.org/mailman/listinfo/catalog-sig > > > > > > > > -- > Giovanni Bajo :: [email protected] (mailto:[email protected]) > Develer S.r.l. :: http://www.develer.com > > My Blog: http://giovanni.bajo.it > > > Attachments: > - smime.p7s > _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
