[Distutils] "Please use a mix of different-case letters and numbers in your password"

Jim Fulton jim at zope.com
Wed Sep 4 12:50:21 CEST 2013


On Wed, Sep 4, 2013 at 6:33 AM, Antoine Pitrou <antoine at python.org> wrote:
> Donald Stufft <donald <at> stufft.io> writes:
>>
>> On Sep 4, 2013, at 4:27 AM, Antoine Pitrou <antoine <at> python.org> wrote:
>>
>> >
>> > Hi,
>> >
>> > On PyPI:
>> > "Please use a mix of different-case letters and numbers in your password"
>> >
>> > Ok... has anyone decided to play BOFH on this one?
>> >
>> > Displaying recommendations is fine (and, why not, some kind of entropy
>> > meter), enforcing stupid rules like that is not.
>> >
>> > Regards
>> >
>> > Antoine, trying to access his PyPI account...
>> >
>> >
>> > _______________________________________________
>> > Distutils-SIG maillist  -  Distutils-SIG <at> python.org
>> > https://mail.python.org/mailman/listinfo/distutils-sig
>>
>> Use a better password,
>
> Ok, let me try to explain this, despite the fact that I would have
> preferred not to lose time with this:
>
> Users don't want their security concerns to be dictated by a service
> provider. Programmatically refusing passwords which are deemed "too
> weak" is the kind of policy that I thought had disappeared since the 1990s
> (yes, it's been tried before, like other stupid requirements such as
> having to change passwords every month).
>
> Mandating that users choose hard-to-remember passwords only leads to them
> writing down those passwords on post-it stickers (or send themselves
> clear-text reminder e-mais, etc.). It's counter-productive in addition
> to being an annoyance when trying to do real work.
>
> I think it would be beneficial if you changed your attitude a bit here.
> Caring about security is good. Mandating that other people follow
> *your* security principles when dealing with *their* data is obnoxious
> (and here the accent is really on "mandating"; it's fine to give advice).

People (at least technical people) should use password managers.

What annoys me is when a 40-character random password is rejected
because it doesn't contain a number (or a capitalized character letter
or whatever), when the same system would accept a 7-character
password. (It's easy enough to add the missing bits to the password,
which makes it merely annoying, but It also makes me think the system
is sorta stupid.)

Jim

-- 
Jim Fulton
http://www.linkedin.com/in/jimfulton


More information about the Distutils-SIG mailing list