[Distutils] "Please use a mix of different-case letters and numbers in your password"
Paul Moore
p.f.moore at gmail.com
Wed Sep 4 13:28:14 CEST 2013
On 4 September 2013 11:33, Antoine Pitrou <antoine at python.org> wrote:
> Users don't want their security concerns to be dictated by a service
> provider. Programmatically refusing passwords which are deemed "too
> weak" is the kind of policy that I thought had disappeared since the 1990s
> (yes, it's been tried before, like other stupid requirements such as
> having to change passwords every month).
+1.
I will not spend time explaining my situation to people, but please
assume that there are people in the world for whom using a password
manager is not convenient, and having passwords on paper in a wallet
is *also* not convenient. Unique, high-entropy passwords conforming to
a constantly-changing set of arbitrary restrictions may be ideal in
some sense, but people protect their bank cards with a four digit PIN
number, and the world hasn't yet fallen apart.
(Note by the way that the PyPI restrictions would not accept the
complete text of the above paragraph as a valid password. I bet it has
pretty high entropy, though...)
<climbs down off the hobby horse>
Paul
More information about the Distutils-SIG
mailing list