On 14.02.2013 00:17, Richard Jones wrote: > On 13 February 2013 22:32, Giovanni Bajo <[email protected]> wrote: >> Il giorno 13/feb/2013, alle ore 12:14, Richard Jones <[email protected]> ha >> scritto: >>> >>> 2. fix the email password reset debacle (mostly written, not tested), >> >> Is this committed anywhere I can take a look? > > It will be presently. In short, the old procedure was: > > 1. user enters username in form and is emailed a link back to PyPI > which embeds the username and password, > 2. user clicks link and, on receiving both username and email address > a new password is generated and mailed to the email address. > > If the user knows both the username and email address they can skip > straight to step 2. > > The new scheme involves: > > 1. user enters username in "I've forgotten my password" form, > 2. PyPI emails user with a link back to itself with a reset OTK (32 > random chars from letters+digits) valid for 6 hours, > 3. On clicking the link the user sees a password reset form where they > enter their new password, and > 4. On submitting the reset form the OTK is deleted and password changed. > > If an invalid username is entered PyPI will say so: the set of pypi > usernames is public anyway through APIs and general web scraping and > this behaviour is more user-friendly than the more common "I may or > may not have emailed you a reset email."
Thanks for sending the scheme. To help prevent phishing attacks, you could add a user token field to the form in step 1, which is sent in the step 2 email. A user can then more easily detect whether s/he requested the password reset. VISA/MasterCard use a similar approach with their "user defined welcome message". The scheme does not protect against email sniffing attacks, but I'm not sure how that could be done without adding some form of two factor authentication. Here's the scenario: * it's PyCon again * attacker sets up a script that runs the password reset form for a few hundred interesting accounts * attacker sets up a WLAN sniffer to look for pypi reset emails * attacker starts the script and waits for reset emails * attacker finds an email, uses the link and sets a new password on the account before the account owner can intervene While many people will probably use secure methods to access their email, there will likely be some that also receive emails on mobile phones or pads using plain text transmission. It may be helpful to add some form of surge protection to PyPI to detect and help prevent the above attack. Such a surge protection would likely also help detect unwanted PyPI crawling. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 14 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
