[Distutils] "Please use a mix of different-case letters and numbers in your password"

Donald Stufft donald at stufft.io
Wed Sep 4 14:08:13 CEST 2013 

On Sep 4, 2013, at 7:28 AM, Paul Moore <p.f.moore at gmail.com> wrote:

> On 4 September 2013 11:33, Antoine Pitrou <antoine at python.org> wrote:
>> Users don't want their security concerns to be dictated by a service
>> provider. Programmatically refusing passwords which are deemed "too
>> weak" is the kind of policy that I thought had disappeared since the 1990s
>> (yes, it's been tried before, like other stupid requirements such as
>> having to change passwords every month).
> 
> +1.
> 
> I will not spend time explaining my situation to people, but please
> assume that there are people in the world for whom using a password
> manager is not convenient, and having passwords on paper in a wallet
> is *also* not convenient. Unique, high-entropy passwords conforming to
> a constantly-changing set of arbitrary restrictions may be ideal in
> some sense, but people protect their bank cards with a four digit PIN
> number, and the world hasn't yet fallen apart.

This is a false equivalency. Sure people protect their bank card with
a four digit pin but it also typically requires having the physical card
itself (attacks such as skimming aside). I'd be ok with relaxing the
restrictions if we can also mandate a physical factor but that is more
onerous than the simple restriction that exists already.

If you can't maintain a basic level of security on your account maybe
you shouldn't be releasing code for other people to use? If you're
releasing code a compromise of your account exposes *other* people
to risk (which is also unlike your bank card example). I don't think it's
that hard to remember a 16+ character password that has no other
restrictions besides being 16+ characters. Hell repeat your original
password twice and there you go (passwords also must be at least
8 characters).

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130904/ac17f110/attachment.sig>

More information about the Distutils-SIG mailing list