[Distutils] "Please use a mix of different-case letters and numbers in your password"
Antoine Pitrou
antoine at python.org
Wed Sep 4 16:31:13 CEST 2013
Nick Coghlan <ncoghlan <at> gmail.com> writes:
>
> On 4 September 2013 23:39, Antoine Pitrou <antoine <at> python.org> wrote:
> > PyPI is not a project like Fedora is. It is a community service for
> > thousands of different people, with wildly different processes and
> > constraints. You can't just order anyone "use your passwords like
> > Nick and DOnald do".
>
> Sure - dealing with security issues for PyPI is always a complex
> balancing acting between security, backwards compatibility and
> avoiding raising barriers to entry.
>
> With the error message fixed, the current password rules are pretty
> simple, and easy to satisfy by typing a few more letters, pressing
> shift once or hitting a number key.
Once again, the problem is *not* to create a strong enough password
(a one-liner using os.urandom() and the base64 module works for that),
it's to remember it without having to note it down or whatever the
current fashionable form of self-reminder is.
This is the whole reason people choose "weak" passwords, because they
are those they're able to remember easily.
> However, PyPI users need to recognise that it isn't the integrity of
> *their* accounts that we're primarily worried about when attempting to
> minimise login vulnerabilities. Our primary concern (after the
> integrity of PyPI itself), is the integrity of end users' machines. So
> when we place restrictions on uploaders, it's guided by a desire to be
> worthy of the exceptional levels of trust placed in the service by
> anyone that types "pip install <distribution>" or "easy_install
> <distribution>" or just downloads a file directly from the site.
But there are many other ways to compromise a developers' account than
to brute-force their PyPI password.
Since most of the package production process is out of reach of PyPI
administrators, it is a hopeless endeavour to try to provide security
*in PyPI* in this regard. Similarly, someone signing a package using GPG
doesn't say anything about the strength of their passphrase, or whether
the private key was leaked somewhere.
Again, provide the tools that allows users to make their authentication
stronger and less easily breakable, but don't try to *enforce* it.
Regards
Antoine.
More information about the Distutils-SIG
mailing list