PyPI password rules

Chris Angelico rosuav at gmail.com
Wed Aug 27 23:32:04 EDT 2014 

On Thu, Aug 28, 2014 at 12:53 PM, Skip Montanaro <skip at pobox.com> wrote:
> On Wed, Aug 27, 2014 at 9:23 AM, Skip Montanaro <skip at pobox.com> wrote:
>>
>> I should have something to show the world in a day or two.
>
>
> Here's my first crack at it.
>
> https://github.com/smontanaro/polly
>
> Thanks to Chris for the idea and the name.

Looks cool!

I'm not sure I understand how your 'common' value works, though. Does
the default 0.6 mean you take the 60% most common words? Those above
the 60th percentile of frequency? Something else?

With my original parrot code, it's worded the other way, as a password
entropy metric. You can say "use only the 2048 most common words"
(which will be XKCD 936's estimate of 11 bits per word), or "use the
128 most common" (7 bits per word; with a standard four word password
this is equivalent to the bad password from XKCD 936). Although it's
not technically 100% reproducible; effectively, it weights words in a
dictionary, then sorts them by weight and takes the first N. It's not
guaranteed to produce unique weights, so the exact set of words used
can vary.

Huh. Using the 128 most common words, as well as being really dumb
from a password security perspective, also seems to be really bad for
making memorable passwords.

> xkcd936 128
Picking 4 words from 128 gives about 28 bits of entropy.
--> need into never other
> xkcd936 128
Picking 4 words from 128 gives about 28 bits of entropy.
--> help never about found
> xkcd936 128
Picking 4 words from 128 gives about 28 bits of entropy.
--> still type would played
> xkcd936 128
Picking 4 words from 128 gives about 28 bits of entropy.
--> long into makes already
> xkcd936 128
Picking 4 words from 128 gives about 28 bits of entropy.
--> thought time found already
> xkcd936 128
Picking 4 words from 128 gives about 28 bits of entropy.
--> next wrong then thats
> xkcd936 128
Picking 4 words from 128 gives about 28 bits of entropy.
--> nice session were thing

Apparently, the most common words said to our parrot aren't
particularly useful for passwording. Going up to 2048 gives us some
much more interesting words!

> xkcd936 2048
Picking 4 words from 2048 gives about 44 bits of entropy.
--> country history future needed
> xkcd936 2048
Picking 4 words from 2048 gives about 44 bits of entropy.
--> interest front deal cookie
> xkcd936 2048
Picking 4 words from 2048 gives about 44 bits of entropy.
--> bloody player dice this

And that last one wasn't originally profanity, given the militaristic
nature of D&D... but I can imagine someone swearing at another player
and yelling "DICE THIS!"...

ChrisA

More information about the Python-list mailing list