I think it's a safe assumption that people using PSF resources such as pypi and the wiki used the same passwords - the bug tracker too. The best approach is a global reset sadly
On Feb 11, 2013, at 8:54 AM, Giovanni Bajo <[email protected]> wrote: > Il giorno 11/feb/2013, alle ore 14:38, Donald Stufft > <[email protected]> ha scritto: > >> On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote: >>> Giovanni Bajo wrote: >>>> Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller <[email protected]> ha >>>> scritto: >>>> >>>>> Actually I was thinking about this in the shower: the likelihood that >>>>> pypi users used the same passwords as they did on the wiki is probably >>>>> much higher than any of us assume. >>>> >>>> Given that the passwords were unsalted in both instances, a set >>>> intersection is enough to verify. >>> >>> The moin wiki passwords were salted. >>> >>> The reason we reset the passwords, was that the attackers had >>> access to both the salt and the hashes. >>> >> What were they hashed with? Even with a salt a fast hash is trivial to >> bruteforce for a large number of passwords in practically no time >> with trivial hardware. >> > > > Yes, and that's why all passwords were reset. > > PyPI is even worse (unsalted SHA), but there is no current evidence of > compromise. The discussion here is that I suggest to migrate all hashes > immediately to bcrypt (by bcrypting the SHA1 hash, and then detecting this at > startup), while Christian's proposal is to migrate as users login, so leaving > SHA1 hashes in that DB for an unknown number of days/weeks/months. > -- > Giovanni Bajo :: [email protected] > Develer S.r.l. :: http://www.develer.com > > My Blog: http://giovanni.bajo.it > > > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
