On 4 September 2013 22:53, Antoine Pitrou <anto...@python.org> wrote: > Well, can I use "aaaaaaaaaaaaaaaaaaaaaaaa" too or do I have to use > "aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA"? > > If that works, you could disable the restriction right now > because it is not securing anything, it's just a "feel-good" > restriction for security nerds.
It's about increasing the search space for attackers. I've submitted a patch to mention the 16 character threshold where all other checks no longer apply in the error message, but running basic security checks against new passwords is normal, and not something we're going to stop doing. It's quite possible that at some point in the future we'll start implementing stricter checks like those used for the Fedora Account System (this is especially likely if accounts start being linked across the python.org infrastructure, such that the consquences of a password compromise become even more significant). If the PyPI password restrictions ever feel too onerous, then OpenID is another alternative (albeit not one that works with the command line tools). However, you should be able to use pypissh for CLI access in that case. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
