[Distutils] "Please use a mix of different-case letters and numbers in your password"

Nick Coghlan ncoghlan at gmail.com
Wed Sep 4 16:52:06 CEST 2013 

On 5 September 2013 00:31, Antoine Pitrou <antoine at python.org> wrote:
> Nick Coghlan <ncoghlan <at> gmail.com> writes:
>>
>> On 4 September 2013 23:39, Antoine Pitrou <antoine <at> python.org> wrote:
>> > PyPI is not a project like Fedora is. It is a community service for
>> > thousands of different people, with wildly different processes and
>> > constraints. You can't just order anyone "use your passwords like
>> > Nick and DOnald do".
>>
>> Sure - dealing with security issues for PyPI is always a complex
>> balancing acting between security, backwards compatibility and
>> avoiding raising barriers to entry.
>>
>> With the error message fixed, the current password rules are pretty
>> simple, and easy to satisfy by typing a few more letters, pressing
>> shift once or hitting a number key.
>
> Once again, the problem is *not* to create a strong enough password
> (a one-liner using os.urandom() and the base64 module works for that),
> it's to remember it without having to note it down or whatever the
> current fashionable form of self-reminder is.
>
> This is the whole reason people choose "weak" passwords, because they
> are those they're able to remember easily.

That's the whole reason the content restrictions turn themselves off
once the password hits 16 characters: passphrases are easy to
remember, and generally quite secure. So, no, "it's easy to remember"
is not an adequate excuse for choosing a poor password for a service
that has a lot of other people depending on its integrity.

Yes, there are *many* points of vulnerability for PyPI, and we've
hardened the password system enough at this point that it's not
currently the easiest attack vector (probably, anyway). But a security
system is only as strong as its weakest link, and there's no way we're
going to deliberately weaken this one, and a definite chance that at
some (distant) point in the future we'll strengthen it further.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list