Il giorno 12/feb/2013, alle ore 12:31, Donald Stufft <[email protected]> ha scritto:
> Since the wiki.python.org database was likely compromised and it was using a > weak > hash we should probably assume that all passwords in there have been leaked. > Because > of this I want to formally propose that PyPI reset it's passwords. > > I've recently created a PR (based on some of Giovanni Bajo's) that switches > PyPI > to using passlib and ideally bcrypt (although configurable). Included in that > PR is the > ability to auto migrate from the existing scheme (unsalted sha1) to the new > scheme (bcrypt) > upon login. > > However I think a better approach would be to not automatically upgrade and > instead > have the upgrade occur when a user changes their password. Then we should set > a date (A month from now? 2?) where any user who has not reset/changed their > password will have their password invalidated and will need to use PyPI's > recovery > options. What about forcing this reset only for users that also have an account on wiki.python.org? Notice that PyPI recovery options should be improved, as they currently send a new password via email in clear text. It should be ideally changed to mailing a link pointing to a reset password form. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
