[Distutils] "Please use a mix of different-case letters and numbers in your password"
Antoine Pitrou
antoine at python.org
Wed Sep 4 15:39:02 CEST 2013
Nick Coghlan <ncoghlan <at> gmail.com> writes:
>
> On 4 September 2013 22:53, Antoine Pitrou <antoine <at> python.org> wrote:
> > Well, can I use "aaaaaaaaaaaaaaaaaaaaaaaa" too or do I have to use
> > "aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA"?
> >
> > If that works, you could disable the restriction right now
> > because it is not securing anything, it's just a "feel-good"
> > restriction for security nerds.
>
> It's about increasing the search space for attackers. I've submitted a
> patch to mention the 16 character threshold where all other checks no
> longer apply in the error message, but running basic security checks
> against new passwords is normal, and not something we're going to stop
> doing.
Well, I'll say it once more: presenting checks and recommandations
to the user is fine.
That doesn't mean "weak" passwords should be *rejected*, though.
PyPI is not a project like Fedora is. It is a community service for
thousands of different people, with wildly different processes and
constraints. You can't just order anyone "use your passwords like
Nick and DOnald do".
> If the PyPI password restrictions ever feel too onerous, then OpenID
> is another alternative (albeit not one that works with the command
> line tools). However, you should be able to use pypissh for CLI access
> in that case.
Thanks for reminding me about pypissh, I'll try it.
As for OpenID, it doesn't work for me right now (see other thread).
Regards
Antoine.
More information about the Distutils-SIG
mailing list