On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote: > Giovanni Bajo wrote: > > Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller <[email protected] > > (mailto:[email protected])> ha scritto: > > > > > Actually I was thinking about this in the shower: the likelihood that > > > pypi users used the same passwords as they did on the wiki is probably > > > much higher than any of us assume. > > > > Given that the passwords were unsalted in both instances, a set > > intersection is enough to verify. > > The moin wiki passwords were salted. > > The reason we reset the passwords, was that the attackers had > access to both the salt and the hashes. > What were they hashed with? Even with a salt a fast hash is trivial to bruteforce for a large number of passwords in practically no time with trivial hardware.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
