[Distutils] "Please use a mix of different-case letters and numbers in your password"
Donald Stufft
donald at stufft.io
Wed Sep 4 12:52:15 CEST 2013
On Sep 4, 2013, at 6:50 AM, Jim Fulton <jim at zope.com> wrote:
> On Wed, Sep 4, 2013 at 6:33 AM, Antoine Pitrou <antoine at python.org> wrote:
>> Donald Stufft <donald <at> stufft.io> writes:
>>>
>>> On Sep 4, 2013, at 4:27 AM, Antoine Pitrou <antoine <at> python.org> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> On PyPI:
>>>> "Please use a mix of different-case letters and numbers in your password"
>>>>
>>>> Ok... has anyone decided to play BOFH on this one?
>>>>
>>>> Displaying recommendations is fine (and, why not, some kind of entropy
>>>> meter), enforcing stupid rules like that is not.
>>>>
>>>> Regards
>>>>
>>>> Antoine, trying to access his PyPI account...
>>>>
>>>>
>>>> _______________________________________________
>>>> Distutils-SIG maillist - Distutils-SIG <at> python.org
>>>> https://mail.python.org/mailman/listinfo/distutils-sig
>>>
>>> Use a better password,
>>
>> Ok, let me try to explain this, despite the fact that I would have
>> preferred not to lose time with this:
>>
>> Users don't want their security concerns to be dictated by a service
>> provider. Programmatically refusing passwords which are deemed "too
>> weak" is the kind of policy that I thought had disappeared since the 1990s
>> (yes, it's been tried before, like other stupid requirements such as
>> having to change passwords every month).
>>
>> Mandating that users choose hard-to-remember passwords only leads to them
>> writing down those passwords on post-it stickers (or send themselves
>> clear-text reminder e-mais, etc.). It's counter-productive in addition
>> to being an annoyance when trying to do real work.
>>
>> I think it would be beneficial if you changed your attitude a bit here.
>> Caring about security is good. Mandating that other people follow
>> *your* security principles when dealing with *their* data is obnoxious
>> (and here the accent is really on "mandating"; it's fine to give advice).
>
> People (at least technical people) should use password managers.
>
> What annoys me is when a 40-character random password is rejected
> because it doesn't contain a number (or a capitalized character letter
> or whatever), when the same system would accept a 7-character
> password. (It's easy enough to add the missing bits to the password,
> which makes it merely annoying, but It also makes me think the system
> is sorta stupir.)
That should be fine for PyPI's restrictions! Length is the best way to
introduce more entropy anyways. Requiring longer passwords is
far better than requiring symbols or numbers.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130904/c9363dea/attachment.sig>
More information about the Distutils-SIG
mailing list