Donald Stufft <donald <at> stufft.io> writes: > > On Sep 4, 2013, at 4:27 AM, Antoine Pitrou <antoine <at> python.org> wrote: > > > > > Hi, > > > > On PyPI: > > "Please use a mix of different-case letters and numbers in your password" > > > > Ok... has anyone decided to play BOFH on this one? > > > > Displaying recommendations is fine (and, why not, some kind of entropy > > meter), enforcing stupid rules like that is not. > > > > Regards > > > > Antoine, trying to access his PyPI account... > > > > > > _______________________________________________ > > Distutils-SIG maillist - Distutils-SIG <at> python.org > > https://mail.python.org/mailman/listinfo/distutils-sig > > Use a better password,
Ok, let me try to explain this, despite the fact that I would have preferred not to lose time with this: Users don't want their security concerns to be dictated by a service provider. Programmatically refusing passwords which are deemed "too weak" is the kind of policy that I thought had disappeared since the 1990s (yes, it's been tried before, like other stupid requirements such as having to change passwords every month). Mandating that users choose hard-to-remember passwords only leads to them writing down those passwords on post-it stickers (or send themselves clear-text reminder e-mais, etc.). It's counter-productive in addition to being an annoyance when trying to do real work. I think it would be beneficial if you changed your attitude a bit here. Caring about security is good. Mandating that other people follow *your* security principles when dealing with *their* data is obnoxious (and here the accent is really on "mandating"; it's fine to give advice). Thanks Antoine. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
