On Sep 4, 2013, at 7:28 AM, Paul Moore <p.f.mo...@gmail.com> wrote: > On 4 September 2013 11:33, Antoine Pitrou <anto...@python.org> wrote: >> Users don't want their security concerns to be dictated by a service >> provider. Programmatically refusing passwords which are deemed "too >> weak" is the kind of policy that I thought had disappeared since the 1990s >> (yes, it's been tried before, like other stupid requirements such as >> having to change passwords every month). > > +1. > > I will not spend time explaining my situation to people, but please > assume that there are people in the world for whom using a password > manager is not convenient, and having passwords on paper in a wallet > is *also* not convenient. Unique, high-entropy passwords conforming to > a constantly-changing set of arbitrary restrictions may be ideal in > some sense, but people protect their bank cards with a four digit PIN > number, and the world hasn't yet fallen apart.
This is a false equivalency. Sure people protect their bank card with a four digit pin but it also typically requires having the physical card itself (attacks such as skimming aside). I'd be ok with relaxing the restrictions if we can also mandate a physical factor but that is more onerous than the simple restriction that exists already. If you can't maintain a basic level of security on your account maybe you shouldn't be releasing code for other people to use? If you're releasing code a compromise of your account exposes *other* people to risk (which is also unlike your bank card example). I don't think it's that hard to remember a 16+ character password that has no other restrictions besides being 16+ characters. Hell repeat your original password twice and there you go (passwords also must be at least 8 characters). ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
