[Distutils] "Please use a mix of different-case letters and numbers in your password"

Donald Stufft donald at stufft.io
Wed Sep 4 12:43:09 CEST 2013


On Sep 4, 2013, at 6:33 AM, Antoine Pitrou <antoine at python.org> wrote:

> Donald Stufft <donald <at> stufft.io> writes:
>> 
>> On Sep 4, 2013, at 4:27 AM, Antoine Pitrou <antoine <at> python.org> wrote:
>> 
>>> 
>>> Hi,
>>> 
>>> On PyPI:
>>> "Please use a mix of different-case letters and numbers in your password"
>>> 
>>> Ok... has anyone decided to play BOFH on this one?
>>> 
>>> Displaying recommendations is fine (and, why not, some kind of entropy
>>> meter), enforcing stupid rules like that is not.
>>> 
>>> Regards
>>> 
>>> Antoine, trying to access his PyPI account...
>>> 
>>> 
>>> _______________________________________________
>>> Distutils-SIG maillist  -  Distutils-SIG <at> python.org
>>> https://mail.python.org/mailman/listinfo/distutils-sig
>> 
>> Use a better password,
> 
> Ok, let me try to explain this, despite the fact that I would have
> preferred not to lose time with this:
> 
> Users don't want their security concerns to be dictated by a service
> provider. Programmatically refusing passwords which are deemed "too
> weak" is the kind of policy that I thought had disappeared since the 1990s
> (yes, it's been tried before, like other stupid requirements such as
> having to change passwords every month).
> 
> Mandating that users choose hard-to-remember passwords only leads to them
> writing down those passwords on post-it stickers (or send themselves
> clear-text reminder e-mais, etc.). It's counter-productive in addition
> to being an annoyance when trying to do real work.
> 
> I think it would be beneficial if you changed your attitude a bit here.
> Caring about security is good. Mandating that other people follow
> *your* security principles when dealing with *their* data is obnoxious
> (and here the accent is really on "mandating"; it's fine to give advice).


The "hard to remember" restrictions only kick in if your password is less than
16 characters. If you don't want to include symbols make it longer. Requiring
a decent password for a system that if your account gets compromised can
often times be daisy chained to attacking lots of developer machines is
a reasonable thing to do.

As to the assumption that writing down passwords is bad I'll just defer to the
experts where Bruce Schneier and Jesper Johansson urge people to write
down their passwords. In the words of Schneier:

"We're all good at securing small pieces of paper. I recommend that people
write their passwords down on a small piece of paper, and keep it with their
other valuable small pieces of paper: in their wallet."

That all being said I wasn't the person who added the restrictions I merely
agree with them.


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130904/fe943f86/attachment.sig>


More information about the Distutils-SIG mailing list