Nick Coghlan <ncoghlan <at> gmail.com> writes:
> 
> On 4 September 2013 22:53, Antoine Pitrou <antoine <at> python.org> wrote:
> > Well, can I use "aaaaaaaaaaaaaaaaaaaaaaaa" too or do I have to use
> > "aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA"?
> >
> > If that works, you could disable the restriction right now
> > because it is not securing anything, it's just a "feel-good"
> > restriction for security nerds.
> 
> It's about increasing the search space for attackers. I've submitted a
> patch to mention the 16 character threshold where all other checks no
> longer apply in the error message, but running basic security checks
> against new passwords is normal, and not something we're going to stop
> doing.

Well, I'll say it once more: presenting checks and recommandations
to the user is fine.
That doesn't mean "weak" passwords should be *rejected*, though.

PyPI is not a project like Fedora is. It is a community service for
thousands of different people, with wildly different processes and
constraints. You can't just order anyone "use your passwords like
Nick and DOnald do".

> If the PyPI password restrictions ever feel too onerous, then OpenID
> is another alternative (albeit not one that works with the command
> line tools). However, you should be able to use pypissh for CLI access
> in that case.

Thanks for reminding me about pypissh, I'll try it.

As for OpenID, it doesn't work for me right now (see other thread).

Regards

Antoine.


_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Reply via email to