[Distutils] "Please use a mix of different-case letters and numbers in your password"
Antoine Pitrou
antoine at python.org
Wed Sep 4 12:33:27 CEST 2013
Donald Stufft <donald <at> stufft.io> writes:
>
> On Sep 4, 2013, at 4:27 AM, Antoine Pitrou <antoine <at> python.org> wrote:
>
> >
> > Hi,
> >
> > On PyPI:
> > "Please use a mix of different-case letters and numbers in your password"
> >
> > Ok... has anyone decided to play BOFH on this one?
> >
> > Displaying recommendations is fine (and, why not, some kind of entropy
> > meter), enforcing stupid rules like that is not.
> >
> > Regards
> >
> > Antoine, trying to access his PyPI account...
> >
> >
> > _______________________________________________
> > Distutils-SIG maillist - Distutils-SIG <at> python.org
> > https://mail.python.org/mailman/listinfo/distutils-sig
>
> Use a better password,
Ok, let me try to explain this, despite the fact that I would have
preferred not to lose time with this:
Users don't want their security concerns to be dictated by a service
provider. Programmatically refusing passwords which are deemed "too
weak" is the kind of policy that I thought had disappeared since the 1990s
(yes, it's been tried before, like other stupid requirements such as
having to change passwords every month).
Mandating that users choose hard-to-remember passwords only leads to them
writing down those passwords on post-it stickers (or send themselves
clear-text reminder e-mais, etc.). It's counter-productive in addition
to being an annoyance when trying to do real work.
I think it would be beneficial if you changed your attitude a bit here.
Caring about security is good. Mandating that other people follow
*your* security principles when dealing with *their* data is obnoxious
(and here the accent is really on "mandating"; it's fine to give advice).
Thanks
Antoine.
More information about the Distutils-SIG
mailing list