[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Chris Jerdonek chris.jerdonek at gmail.com
Mon Dec 11 11:19:34 EST 2017 

On Mon, Dec 11, 2017 at 4:58 AM, Victor Stinner
<victor.stinner at gmail.com> wrote:
> ...
> Oh, my explanation makes the assumption that you all already enabled
> 2-factor auth on your email, right? :-) If you wasn't aware: email is
> simply the *most* critical part of your whole online data. If a hacker
> gets access to your email, you already lost all your online
> accounts...

Why do you say this? Can't this only be true for accounts that allow
password recovery / reset via email?

--Chris


>
> For Gmail users: you may have a look at
> https://myaccount.google.com/security as well. Maybe remove old
> services that have access to your Google account?
>
>
> After the hack, I also generated a new SSH key, even if it wasn't
> stored online and is encrypted by a passphrase. Just because I was
> using the same key since many years. I chose to use the new modern
> ed25519 key format. It uses an elliptic curve rather than RSA, it's a
> different kind of security. While I don't know if it's more secure, I
> read that it's faster :-)
>
> https://en.wikipedia.org/wiki/EdDSA
>
> I was able to use this new key formats on all services... except Launchpad.
>
> Changing a private SSH key isn't easy:
>
> * You have to install the new SSH on most services that you are using
> * You have to manually remove the old SSH key from *all* services that
> you are using (there is no global "SSH revokation" service...)
> * I used ~/.ssh/known_hosts to get most services, but also updated
> GitHub, Bitbucket, etc.
> * There are a few other services like psf-salt/psf-chef where you may
> also want to see your SSH key updated
> * The question is then if the old SSH key must be removed... the
> problem is that I never tried to keep track of services that I'm using
> through SSH, so I decided to keep the old SSH key (outside ~/.ssh). In
> practice, I'm only using my new SSH private since longer than 6 months
> and I was never blocked.
>
> I also had trouble to get working SSH agent on Gnome for my ed25519
> key, but I succeeded to enable the regular ssh-agent using systemd
> --user. Tell me if you want instructions for this part as well.
>
> Victor
> _______________________________________________
> python-committers mailing list
> python-committers at python.org
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/

More information about the python-committers mailing list