On 5 September 2013 00:59, Antoine Pitrou <anto...@python.org> wrote: > Nick Coghlan <ncoghlan <at> gmail.com> writes: >> >> That's the whole reason the content restrictions turn themselves off >> once the password hits 16 characters: passphrases are easy to >> remember, and generally quite secure. So, no, "it's easy to remember" >> is not an adequate excuse for choosing a poor password for a service >> that has a lot of other people depending on its integrity. > > Then please add helpful guidelines as to how people can choose a safe > and easy to remember password /or passphrase/. Most people aren't password > experts, and the current one-line message isn't useful.
It's a complex topic, hence it takes long articles like http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/ to do it justice. The *best* answer is for a service to use 2-factor authentication instead of relying entirely on passwords (the "physical object" Donald mentioned earlier), but we don't have the resources to set that up, and certainly can't require it for all PyPI users (since you either need a physical token or a phone capable of running an app like Google Authenticator). Second best is to use a password manager, either to help remember complex manually generated passwords, letting it generate the passwords for you, or a combination of the two. The Ars article linked above goes through some of the available options. Third is to encourage or require people to use better passwords. The third page of the Ars password management article (http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/3/) gives some example techniques for generating good pass phrases. There's also the XKCD method (https://xkcd.com/936/) and the Scheier method (see towards the end of https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html). A better password metering system than the current binary "allowed/disallowed" would definitely be desirable (see http://arstechnica.com/security/2013/05/its-official-password-strength-meters-arent-security-theater/), but isn't going to happen in the current PyPI web application. It might be possible after the migration to Warehouse is complete, though. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
