On 5 September 2013 00:31, Antoine Pitrou <anto...@python.org> wrote: > Nick Coghlan <ncoghlan <at> gmail.com> writes: >> >> On 4 September 2013 23:39, Antoine Pitrou <antoine <at> python.org> wrote: >> > PyPI is not a project like Fedora is. It is a community service for >> > thousands of different people, with wildly different processes and >> > constraints. You can't just order anyone "use your passwords like >> > Nick and DOnald do". >> >> Sure - dealing with security issues for PyPI is always a complex >> balancing acting between security, backwards compatibility and >> avoiding raising barriers to entry. >> >> With the error message fixed, the current password rules are pretty >> simple, and easy to satisfy by typing a few more letters, pressing >> shift once or hitting a number key. > > Once again, the problem is *not* to create a strong enough password > (a one-liner using os.urandom() and the base64 module works for that), > it's to remember it without having to note it down or whatever the > current fashionable form of self-reminder is. > > This is the whole reason people choose "weak" passwords, because they > are those they're able to remember easily.
That's the whole reason the content restrictions turn themselves off once the password hits 16 characters: passphrases are easy to remember, and generally quite secure. So, no, "it's easy to remember" is not an adequate excuse for choosing a poor password for a service that has a lot of other people depending on its integrity. Yes, there are *many* points of vulnerability for PyPI, and we've hardened the password system enough at this point that it's not currently the easiest attack vector (probably, anyway). But a security system is only as strong as its weakest link, and there's no way we're going to deliberately weaken this one, and a definite chance that at some (distant) point in the future we'll strengthen it further. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
