[Distutils] "Please use a mix of different-case letters and numbers in your password"

[Nick Coghlan]

On 4 September 2013 23:39, Antoine Pitrou <antoine at python.org> wrote:
> PyPI is not a project like Fedora is. It is a community service for
> thousands of different people, with wildly different processes and
> constraints. You can't just order anyone "use your passwords like
> Nick and DOnald do".

Sure - dealing with security issues for PyPI is always a complex
balancing acting between security, backwards compatibility and
avoiding raising barriers to entry.

With the error message fixed, the current password rules are pretty
simple, and easy to satisfy by typing a few more letters, pressing
shift once or hitting a number key. Ramping things up to the level
Fedora do is unlikely to happen any time soon, if it ever happens at
all (especially since the shift to properly salted hashes likely added
more security than tougher password rules ever will). On the other
hand, pre-emptively filtering out passwords that are known to be
picked up by the initial "quick-and-dirty" heuristics used by common
password crackers (before they settle in to the more time consuming
brute force searches) is a well established "defence in depth"
strategy for password security, since it doesn't cost defenders much
time to prevent them, and it doesn't save attackers much time to skip
them.

However, PyPI users need to recognise that it isn't the integrity of
*their* accounts that we're primarily worried about when attempting to
minimise login vulnerabilities. Our primary concern (after the
integrity of PyPI itself), is the integrity of end users' machines. So
when we place restrictions on uploaders, it's guided by a desire to be
worthy of the exceptional levels of trust placed in the service by
anyone that types "pip install <distribution>" or "easy_install
<distribution>" or just downloads a file directly from the site.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia