On Wed, Sep 4, 2013 at 6:33 AM, Antoine Pitrou <anto...@python.org> wrote: > Donald Stufft <donald <at> stufft.io> writes: >> >> On Sep 4, 2013, at 4:27 AM, Antoine Pitrou <antoine <at> python.org> wrote: >> >> > >> > Hi, >> > >> > On PyPI: >> > "Please use a mix of different-case letters and numbers in your password" >> > >> > Ok... has anyone decided to play BOFH on this one? >> > >> > Displaying recommendations is fine (and, why not, some kind of entropy >> > meter), enforcing stupid rules like that is not. >> > >> > Regards >> > >> > Antoine, trying to access his PyPI account... >> > >> > >> > _______________________________________________ >> > Distutils-SIG maillist - Distutils-SIG <at> python.org >> > https://mail.python.org/mailman/listinfo/distutils-sig >> >> Use a better password, > > Ok, let me try to explain this, despite the fact that I would have > preferred not to lose time with this: > > Users don't want their security concerns to be dictated by a service > provider. Programmatically refusing passwords which are deemed "too > weak" is the kind of policy that I thought had disappeared since the 1990s > (yes, it's been tried before, like other stupid requirements such as > having to change passwords every month). > > Mandating that users choose hard-to-remember passwords only leads to them > writing down those passwords on post-it stickers (or send themselves > clear-text reminder e-mais, etc.). It's counter-productive in addition > to being an annoyance when trying to do real work. > > I think it would be beneficial if you changed your attitude a bit here. > Caring about security is good. Mandating that other people follow > *your* security principles when dealing with *their* data is obnoxious > (and here the accent is really on "mandating"; it's fine to give advice).
People (at least technical people) should use password managers. What annoys me is when a 40-character random password is rejected because it doesn't contain a number (or a capitalized character letter or whatever), when the same system would accept a 7-character password. (It's easy enough to add the missing bits to the password, which makes it merely annoying, but It also makes me think the system is sorta stupid.) Jim -- Jim Fulton http://www.linkedin.com/in/jimfulton _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
