Nick Coghlan <ncoghlan <at> gmail.com> writes: > > On 4 September 2013 22:53, Antoine Pitrou <antoine <at> python.org> wrote: > > Well, can I use "aaaaaaaaaaaaaaaaaaaaaaaa" too or do I have to use > > "aAaAaAaAaAaAaAaAaAaAaAaAaAaAaAaA"? > > > > If that works, you could disable the restriction right now > > because it is not securing anything, it's just a "feel-good" > > restriction for security nerds. > > It's about increasing the search space for attackers. I've submitted a > patch to mention the 16 character threshold where all other checks no > longer apply in the error message, but running basic security checks > against new passwords is normal, and not something we're going to stop > doing.
Well, I'll say it once more: presenting checks and recommandations to the user is fine. That doesn't mean "weak" passwords should be *rejected*, though. PyPI is not a project like Fedora is. It is a community service for thousands of different people, with wildly different processes and constraints. You can't just order anyone "use your passwords like Nick and DOnald do". > If the PyPI password restrictions ever feel too onerous, then OpenID > is another alternative (albeit not one that works with the command > line tools). However, you should be able to use pypissh for CLI access > in that case. Thanks for reminding me about pypissh, I'll try it. As for OpenID, it doesn't work for me right now (see other thread). Regards Antoine. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig