On 4 September 2013 11:33, Antoine Pitrou <anto...@python.org> wrote: > Users don't want their security concerns to be dictated by a service > provider. Programmatically refusing passwords which are deemed "too > weak" is the kind of policy that I thought had disappeared since the 1990s > (yes, it's been tried before, like other stupid requirements such as > having to change passwords every month).
+1. I will not spend time explaining my situation to people, but please assume that there are people in the world for whom using a password manager is not convenient, and having passwords on paper in a wallet is *also* not convenient. Unique, high-entropy passwords conforming to a constantly-changing set of arbitrary restrictions may be ideal in some sense, but people protect their bank cards with a four digit PIN number, and the world hasn't yet fallen apart. (Note by the way that the PyPI restrictions would not accept the complete text of the above paragraph as a valid password. I bet it has pretty high entropy, though...) <climbs down off the hobby horse> Paul _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
