On Sep 4, 2013, at 6:50 AM, Jim Fulton <j...@zope.com> wrote: > On Wed, Sep 4, 2013 at 6:33 AM, Antoine Pitrou <anto...@python.org> wrote: >> Donald Stufft <donald <at> stufft.io> writes: >>> >>> On Sep 4, 2013, at 4:27 AM, Antoine Pitrou <antoine <at> python.org> wrote: >>> >>>> >>>> Hi, >>>> >>>> On PyPI: >>>> "Please use a mix of different-case letters and numbers in your password" >>>> >>>> Ok... has anyone decided to play BOFH on this one? >>>> >>>> Displaying recommendations is fine (and, why not, some kind of entropy >>>> meter), enforcing stupid rules like that is not. >>>> >>>> Regards >>>> >>>> Antoine, trying to access his PyPI account... >>>> >>>> >>>> _______________________________________________ >>>> Distutils-SIG maillist - Distutils-SIG <at> python.org >>>> https://mail.python.org/mailman/listinfo/distutils-sig >>> >>> Use a better password, >> >> Ok, let me try to explain this, despite the fact that I would have >> preferred not to lose time with this: >> >> Users don't want their security concerns to be dictated by a service >> provider. Programmatically refusing passwords which are deemed "too >> weak" is the kind of policy that I thought had disappeared since the 1990s >> (yes, it's been tried before, like other stupid requirements such as >> having to change passwords every month). >> >> Mandating that users choose hard-to-remember passwords only leads to them >> writing down those passwords on post-it stickers (or send themselves >> clear-text reminder e-mais, etc.). It's counter-productive in addition >> to being an annoyance when trying to do real work. >> >> I think it would be beneficial if you changed your attitude a bit here. >> Caring about security is good. Mandating that other people follow >> *your* security principles when dealing with *their* data is obnoxious >> (and here the accent is really on "mandating"; it's fine to give advice). > > People (at least technical people) should use password managers. > > What annoys me is when a 40-character random password is rejected > because it doesn't contain a number (or a capitalized character letter > or whatever), when the same system would accept a 7-character > password. (It's easy enough to add the missing bits to the password, > which makes it merely annoying, but It also makes me think the system > is sorta stupir.)
That should be fine for PyPI's restrictions! Length is the best way to introduce more entropy anyways. Requiring longer passwords is far better than requiring symbols or numbers. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
