[Distutils] "Please use a mix of different-case letters and numbers in your password"
Nick Coghlan
ncoghlan at gmail.com
Wed Sep 4 15:10:32 CEST 2013
On 4 September 2013 22:53, Antoine Pitrou <antoine at python.org> wrote:
> Well, can I use "aaaaaaaaaaaaaaaaaaaaaaaa" too or do I have to use
> "aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA"?
>
> If that works, you could disable the restriction right now
> because it is not securing anything, it's just a "feel-good"
> restriction for security nerds.
It's about increasing the search space for attackers. I've submitted a
patch to mention the 16 character threshold where all other checks no
longer apply in the error message, but running basic security checks
against new passwords is normal, and not something we're going to stop
doing. It's quite possible that at some point in the future we'll
start implementing stricter checks like those used for the Fedora
Account System (this is especially likely if accounts start being
linked across the python.org infrastructure, such that the consquences
of a password compromise become even more significant).
If the PyPI password restrictions ever feel too onerous, then OpenID
is another alternative (albeit not one that works with the command
line tools). However, you should be able to use pypissh for CLI access
in that case.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG
mailing list