undefined | Better HN

0 pointsstaticassertion3y ago0 comments

OK? So more people use TOTP and there's a marginal security win. And maybe a few use a token, and there's a significant win.

0 comments

Wowfunhappy3y ago

TOTP is a minuscule security win in exchange for a significant amount of inconvenience, versus using a good password manager. If you want to prevent password reuse, add an option to use a pre-generated password as an alternative to 2FA.

I think the statement "these weaknesses are implementation specific", while true, is irrelevant when 99% of people affected by this mandate (and 99.9% of 2FA users in general) are going to use an implementation with these weaknesses. And, I think it really sucks that PyPI is loosing maintainers due to a policy that won't increase security in a meaningful way.

staticassertionOP3y ago

The difference between a password manager and TOTP is that TOTP is something PyPI can enforce and a password manager is not.

Yes, TOTP adds very little advantage when you have an already safe password. But there is no way for PyPI to know if you're doing that or not, and they can know if you're using 2FA.

> 99% of people affected by this mandate (and 99.9% of 2FA users in general) are going to use an implementation with these weaknesses

Time will tell. PyPI is giving away free keys, presumably to encourage adoption of the safer option.

I'm actually very happy to see maintainers go. If they weren't willing to enable 2FA I worry about what other issues their software poses.

Wowfunhappy3y ago

> Yes, TOTP adds very little advantage when you have an already safe password. But there is no way for PyPI to know if you're doing that or not.

But there is! Pre-generate a password for the user, instead of letting them supply one. This adds no extra inconvenience if you're already using a password manager, but it makes password reuse impossible.

1 more reply

j / k navigate · click thread line to collapse

0 comments

Wowfunhappy3y ago

staticassertionOP3y ago

The difference between a password manager and TOTP is that TOTP is something PyPI can enforce and a password manager is not.

Yes, TOTP adds very little advantage when you have an already safe password. But there is no way for PyPI to know if you're doing that or not, and they can know if you're using 2FA.

> 99% of people affected by this mandate (and 99.9% of 2FA users in general) are going to use an implementation with these weaknesses

Time will tell. PyPI is giving away free keys, presumably to encourage adoption of the safer option.

I'm actually very happy to see maintainers go. If they weren't willing to enable 2FA I worry about what other issues their software poses.

Wowfunhappy3y ago

> Yes, TOTP adds very little advantage when you have an already safe password. But there is no way for PyPI to know if you're doing that or not.

1 more reply

j / k navigate · click thread line to collapse