[Catalog-sig] Mandatory Reset of PyPI Passwords

M.-A. Lemburg mal at egenix.com
Thu Feb 14 11:25:59 CET 2013 

On 14.02.2013 00:17, Richard Jones wrote:
> On 13 February 2013 22:32, Giovanni Bajo <rasky at develer.com> wrote:
>> Il giorno 13/feb/2013, alle ore 12:14, Richard Jones <richard at python.org> ha scritto:
>>>
>>> 2. fix the email password reset debacle (mostly written, not tested),
>>
>> Is this committed anywhere I can take a look?
> 
> It will be presently. In short, the old procedure was:
> 
> 1. user enters username in form and is emailed a link back to PyPI
> which embeds the username and password,
> 2. user clicks link and, on receiving both username and email address
> a new password is generated and mailed to the email address.
> 
> If the user knows both the username and email address they can skip
> straight to step 2.
> 
> The new scheme involves:
> 
> 1. user enters username in "I've forgotten my password" form,
> 2. PyPI emails user with a link back to itself with a reset OTK (32
> random chars from letters+digits) valid for 6 hours,
> 3. On clicking the link the user sees a password reset form where they
> enter their new password, and
> 4. On submitting the reset form the OTK is deleted and password changed.
> 
> If an invalid username is entered PyPI will say so: the set of pypi
> usernames is public anyway through APIs and general web scraping and
> this behaviour is more user-friendly than the more common "I may or
> may not have emailed you a reset email."

Thanks for sending the scheme.

To help prevent phishing attacks, you could add a
user token field to the form in step 1, which is sent in the
step 2 email. A user can then more easily detect whether s/he
requested the password reset. VISA/MasterCard use a similar
approach with their "user defined welcome message".

The scheme does not protect against email sniffing attacks,
but I'm not sure how that could be done without adding
some form of two factor authentication.

Here's the scenario:

* it's PyCon again
* attacker sets up a script that runs the password reset form
  for a few hundred interesting accounts
* attacker sets up a WLAN sniffer to look for pypi reset emails
* attacker starts the script and waits for reset emails
* attacker finds an email, uses the link and sets a new password
  on the account before the account owner can intervene

While many people will probably use secure methods to access
their email, there will likely be some that also receive emails
on mobile phones or pads using plain text transmission.

It may be helpful to add some form of surge protection to
PyPI to detect and help prevent the above attack. Such a
surge protection would likely also help detect unwanted
PyPI crawling.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 14 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list