[Catalog-sig] Mandatory Reset of PyPI Passwords

[Donald Stufft]

On Wednesday, February 13, 2013 at 11:25 AM, Antoine Pitrou wrote:
> Jesse Noller <jnoller <at> gmail.com (http://gmail.com)> writes:
> > On Feb 13, 2013, at 7:13 AM, Antoine Pitrou <solipsis <at> pitrou.net (http://pitrou.net)> wrote:
> > 
> > > Richard Jones <richard <at> python.org (http://python.org)> writes:
> > > > 3. send email to all registered users indicating that all users must
> > > > change their password and a forced reset will take place in a week's
> > > > time for users who have not done so, and
> > > > 
> > > 
> > > 
> > > What about users who've already changed their password?
> > 
> > Why not force the reset anyway? 
> 
> Because annoying responsible users is unfriendly and incompetent.
> 
> You shouldn't expect the average user to have a specifically indulgent a priori
> towards the PSF; nor should you imagine they like having to change their
> passwords. Managing one's passwords is for most users a major PITA.
> 
> If some outside organization forced a second password reset on me after
> I'd changed my password a first time, I would certainly not get a good opinion
> of them.
> 
There's no way to determine if users have changed their password. The passlib
branch will be deployed with automatic migration upon logging in turned off. People
who have either newly registered or who have manually changed their password
will have a password string that contains some extra metadata to specify that it's
been hashed by bcrypt. Users who haven't (even if they've logged in) will still have
a plain sha1 in the database.

Unfortunately there's no "last changed" a changelog or anything of that nature that
would enable PyPI to determine if a particular user has ever changed their password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130213/35671eee/attachment-0001.html>