Richard Jones' Log: PyPI password-related security changes

Fri, 15 Feb 2013
TL;DR: please log into PyPI and change your password.

Recently we have been auditing and improving security of the Python Package Index (PyPI) and other hosts.

You may be aware that the host was compromised. Since we must assume that all passwords stored in that system are also compromised, and we also assume that some users share passwords between systems, we are performing a password reset of all PyPI accounts in one week's time, at 2013-02-22 00:00 UTC.

If you log in before that deadline and change your password then you'll be fine, otherwise you'll need to use the password recovery form after the reset has occurred.

Additionally, we would ask you to begin to access PyPI using HTTPS through the web. We're in the process of installing a new SSL certificate so the current Big Red Certificate Warning should go away very soon.

We are in the process of updating the Python packaging toolset to use HTTPS.

These steps are but a couple of those we're intending to take to better secure PyPI. If you are interested in these matters I encourage you to participate in the discussion on the catalog SIG.

Finally, we apologise for any inconvenience these changes have caused.