[Distutils] Password security

Nick Coghlan ncoghlan at gmail.com
Wed Sep 4 17:28:32 CEST 2013


On 5 September 2013 00:59, Antoine Pitrou <antoine at python.org> wrote:
> Nick Coghlan <ncoghlan <at> gmail.com> writes:
>>
>> That's the whole reason the content restrictions turn themselves off
>> once the password hits 16 characters: passphrases are easy to
>> remember, and generally quite secure. So, no, "it's easy to remember"
>> is not an adequate excuse for choosing a poor password for a service
>> that has a lot of other people depending on its integrity.
>
> Then please add helpful guidelines as to how people can choose a safe
> and easy to remember password /or passphrase/. Most people aren't password
> experts, and the current one-line message isn't useful.

It's a complex topic, hence it takes long articles like
http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/
to do it justice.

The *best* answer is for a service to use 2-factor authentication
instead of relying entirely on passwords (the "physical object" Donald
mentioned earlier), but we don't have the resources to set that up,
and certainly can't require it for all PyPI users (since you either
need a physical token or a phone capable of running an app like Google
Authenticator).

Second best is to use a password manager, either to help remember
complex manually generated passwords, letting it generate the
passwords for you, or a combination of the two. The Ars article linked
above goes through some of the available options.

Third is to encourage or require people to use better passwords. The
third page of the Ars password management article
(http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/3/)
gives some example techniques for generating good pass phrases.
There's also the XKCD method (https://xkcd.com/936/) and the Scheier
method (see towards the end of
https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html).

A better password metering system than the current binary
"allowed/disallowed" would definitely be desirable (see
http://arstechnica.com/security/2013/05/its-official-password-strength-meters-arent-security-theater/),
but isn't going to happen in the current PyPI web application. It
might be possible after the migration to Warehouse is complete,
though.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia


More information about the Distutils-SIG mailing list