Richard Jones wrote: > Given the discussion on the pull request I think I'll hold off. There > seems to be some question regarding its appropriateness which I'm not > really in a position to judge.
FWIW, the DoS problem with the multi-round hash algorithms was also an issue for moin. They chose to use passlib with moin: http://hg.moinmo.in/moin/1.9/file/tip/docs/CHANGES and the default hash algorithm is sha512_crypt. Everything was made configurable to be able to easily switch algorithms and use different number of rounds to adjust for the use cases. See these links for a discussion on the hash algorithms and rounds values: http://pythonhosted.org/passlib/new_app_quickstart.html#choosing-a-hash http://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-rounds-value Also note that these password hashes mainly protect against the case where a user uses the same password for multiple services. If an attacker gets access to the stored password hashes, he'll already have all the power he needs to change any aspect of an arbitrary number of accounts, including changing the passwords, so we're not gaining any protection for *PyPI* by using a high number of rounds. The additional number of rounds only protect against use of the passwords on other services. As a result, the DoS problem weighs more in this context than the protection against brute-force or rainbow table attacks. Let's please not get paranoid over all this. As long as the parameters remain configurable, we can approach these things in small steps and don't need to get all tied up in discussions about how to turn PyPI into Fort Knox :-) > Richard > > On 10 February 2013 21:57, Richard Jones <[email protected]> wrote: >> Thanks, I'll be reviewing that tomorrow if Martin doesn't beat me to it. >> >> >> Richard >> >> On 10 February 2013 14:26, Giovanni Bajo <[email protected]> wrote: >>> Hi, >>> >>> I went ahead with an important task in my security design doc: migration of >>> PyPI to bcrypt. >>> >>> This is the pull request: >>> https://bitbucket.org/loewis/pypi/pull-request/2/use-bcrypt-instead-of-unsalted-sha1/diff >>> >>> -- >>> Giovanni Bajo :: [email protected] >>> Develer S.r.l. :: http://www.develer.com >>> >>> My Blog: http://giovanni.bajo.it >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Catalog-SIG mailing list >>> [email protected] >>> http://mail.python.org/mailman/listinfo/catalog-sig >>> > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
