Christian Heimes wrote: > Am 11.02.2013 13:26, schrieb M.-A. Lemburg: >> Why not leave the decision to change the password to the PyPI users >> and only do a blog post and perhaps have a banner on PyPI to notify >> them ? >> >> After all, unlike for the wiki installation, the PyPI passwords were >> not compromised. > > It depends on your level of paranoia. Technically they are potentially > compromised. The passwords were and are still transmitted over > non-encrypted HTTP connections. </nitpicking>
True and Jesse's point is also true. Please note, though, that if we reset passwords, we may very well lock out PyPI users. If the registered email address is no longer valid, there's no way to regain access to the account other than via an admin. I also just tested the password reset mechanism and found a few issues. Entering your details here: https://pypi.python.org/pypi?%3Aaction=forgotten_password_form results in an email: """ Someone, perhaps you, has requested that the password be changed for your username, "xyz". If you wish to proceed with the change, please follow the link below: http://pypi.python.org/pypi?:action=password_reset&email=x%40yz.com You should then receive another email with the new password. """ Clicking on the HTTP link then results in an *email* with a new clear text password: """ Your login is: xyz Your password is now: 1234 """ The second email should probably contain a note explaining that the password is temporary and should be changed as soon as possible on the PyPI website. Since there's no additional password reset protection (e.g. some password reset question or similar additional authentication request or a token which is sent with the first email), the above URL can be used to reset any PyPI account for which you know the email address. So I guess, the process needs to be fixed before going ahead with any password reset. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
