[python-committers] Re: Please make sure you're following good security practices with your GitHub account
I do use a Yubikey too. Le 6/14/21 à 11:27 PM, Tim Peters a écrit : > If I buy one and plug it in, and that's the end of it, fine by me That's almost as simple as you want: - In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action). - Then every time you login your key blinks and you have to touch it to allow this action. And that's it. It uses an open standard called U2F [1] which works on a variety of setups (it works with Firefox on Debian for example). It also works on pypi.org \o/. If the PSF is willing to help financially, I'd recommend everyone to buy (and register) two keys: a primary key and a backup key in case you loose or break the first one. I personally have a USB-C key and a USB-A key, so I can choose my key according to the USB port I need to use. Then optionally you can setup a PIV application on the key to store your private ssh key, and use PKCS11 to forward ssh connexions challenges to be resolved by the key. The big advantage is: your private key never leave the key (which is write-only). It's way more complicated than U2F though! [1]: https://en.wikipedia.org/wiki/Universal_2nd_Factor -- [Julien Palard](https://mdk.fr) ___ python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-le...@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/HZPN57WF77CRUZAVSJQ7XP32V6I2VBE6/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
On Tue, Jun 15, 2021 at 11:08 AM Mariatta wrote: > Thanks for sharing your experience, and I think it's important for us core > developers to be careful and vigilant about this. > > I was wondering if we should add under the "core developers > responsibility" section ( > https://devguide.python.org/coredev/#responsibilities), about securing > their GitHub account with 2FA/MFA? I think this is something that can be > made as required by the org admins. (and add that we'll work with folks if > they need assistance in setting those up). > Yes, there's a setting at I believe the org level where we can require 2FA. I've tossed something on the SC agenda (which is currently massive, so who knows how long it will be before we get to this) to see if this is something we want to consider (if 2FA would actually stop you from contributing, do feel free to speak up, otherwise I assume it's a situation like Tim where we just need to help you figure out how to make it work). -Brett > > > > On Mon, Jun 14, 2021 at 12:38 PM Brett Cannon wrote: > >> I have discovered someone tried to break into my GitHub account (you can >> check yourself by going to https://github.com/settings/security-log and >> looking for "failed to login" attempts for potentially odd geographical >> locations for yourself). CPython probably would have been the biggest >> target for them had they gotten in (my work stuff is all open source and it >> would have required breaking into another account). But GitHub has a >> completely unique password and MFA turned on, so they were unsuccessful. >> >> Please make sure you have a unique password for your GitHub account and >> that you have 2FA/MFA turned on (I honestly think we should start requiring >> this; I'm sure we can get money for folks to get security keys). Other >> languages like PHP have been successfully hacked ( >> https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/), >> so this isn't a hypothetical anymore that we would be targets for folks who >> want to install a backdoor into one of the world's most popular programming >> languages and is now mission-critical for a lot of massive corporations and >> governments. >> ___ >> python-committers mailing list -- python-committers@python.org >> To unsubscribe send an email to python-committers-le...@python.org >> https://mail.python.org/mailman3/lists/python-committers.python.org/ >> Message archived at >> https://mail.python.org/archives/list/python-committers@python.org/message/IS5ZGCRBBZ2RRRBJO4ZPG6P6XDPSDEYI/ >> Code of Conduct: https://www.python.org/psf/codeofconduct/ >> > ___ python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-le...@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/U34DM5HVDFKF7KNC2KKGMFUEFKEDNCJ2/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
On Tue, Jun 15, 2021 at 2:08 PM Mariatta wrote: > Thanks for sharing your experience, and I think it's important for us core > developers to be careful and vigilant about this. > Work picked up hardware fobs from Deepnet Security for a lower price. We paid about $16 apiece for 20, but had to go through their "request a quote" web form. Something like that should work fine for anyone who doesn't want to use a smartphone or bind it to their password manager. (After all, it wouldn't really be 2FA if your password manager provided both factors!) -Fred -- Fred L. Drake, Jr. "There is nothing more uncommon than common sense." --Frank Lloyd Wright ___ python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-le...@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/JK5PCOF6QPKDYRODB6RNC2H3QAVRAINX/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
Thanks for sharing your experience, and I think it's important for us core developers to be careful and vigilant about this. I was wondering if we should add under the "core developers responsibility" section (https://devguide.python.org/coredev/#responsibilities), about securing their GitHub account with 2FA/MFA? I think this is something that can be made as required by the org admins. (and add that we'll work with folks if they need assistance in setting those up). On Mon, Jun 14, 2021 at 12:38 PM Brett Cannon wrote: > I have discovered someone tried to break into my GitHub account (you can > check yourself by going to https://github.com/settings/security-log and > looking for "failed to login" attempts for potentially odd geographical > locations for yourself). CPython probably would have been the biggest > target for them had they gotten in (my work stuff is all open source and it > would have required breaking into another account). But GitHub has a > completely unique password and MFA turned on, so they were unsuccessful. > > Please make sure you have a unique password for your GitHub account and > that you have 2FA/MFA turned on (I honestly think we should start requiring > this; I'm sure we can get money for folks to get security keys). Other > languages like PHP have been successfully hacked ( > https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/), > so this isn't a hypothetical anymore that we would be targets for folks who > want to install a backdoor into one of the world's most popular programming > languages and is now mission-critical for a lot of massive corporations and > governments. > ___ > python-committers mailing list -- python-committers@python.org > To unsubscribe send an email to python-committers-le...@python.org > https://mail.python.org/mailman3/lists/python-committers.python.org/ > Message archived at > https://mail.python.org/archives/list/python-committers@python.org/message/IS5ZGCRBBZ2RRRBJO4ZPG6P6XDPSDEYI/ > Code of Conduct: https://www.python.org/psf/codeofconduct/ > ___ python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-le...@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/2ZJHJLXP5GNWLVYSEEHTAC2PTWLNLBST/ Code of Conduct: https://www.python.org/psf/codeofconduct/