Since the wiki.python.org database was likely compromised and it was using a weak hash we should probably assume that all passwords in there have been leaked. Because of this I want to formally propose that PyPI reset it's passwords.
I've recently created a PR (based on some of Giovanni Bajo's) that switches PyPI to using passlib and ideally bcrypt (although configurable). Included in that PR is the ability to auto migrate from the existing scheme (unsalted sha1) to the new scheme (bcrypt) upon login. However I think a better approach would be to not automatically upgrade and instead have the upgrade occur when a user changes their password. Then we should set a date (A month from now? 2?) where any user who has not reset/changed their password will have their password invalidated and will need to use PyPI's recovery options. The reason I believe we should reset is because there is a high likelyhood that people used the same login/password on PyPI as they did on wiki.python.org and thus even if we migrate to a stronger hash many accounts may be already compromised, or will be in the future.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
