Is this secure?
Steven D'Aprano
steven at REMOVE.THIS.cybersource.com.au
Tue Feb 23 21:19:31 EST 2010
On Tue, 23 Feb 2010 11:19:59 -0800, Paul Rubin wrote:
> mk <mrkafk at gmail.com> writes:
>> I need to generate passwords and I think that pseudo-random generator
>> is not good enough, frankly. So I wrote this function:... The question
>> is: is this secure? That is, can the string generated this way be
>> considered truly random? (I abstract from not-quite-perfect nature of
>> /dev/urandom at the moment; I can always switch to /dev/random which is
>> better)
>
> urandom is fine and the entropy loss from the numeric conversions and
> eliminating 'z' in that code before you get letters out is not too bad.
What?
You're going from a possible alphabet of 62 (excluding punctuation) or 94
(inc punctuation available on an American keyboard) distinct letters down
to 25, and you say that's "not too bad"?
Paul, if you were anyone else, I'd be sneering uncontrollably about now,
but you're not clueless about cryptography, so what have I missed? Why is
reducing the number of distinct letters by more than 50% anything but a
disaster? This makes the task of brute-forcing the password exponentially
easier.
Add the fact that the passwords are so short (as little as two characters
in my tests) and this is about as far from secure as it is possible to be.
--
Steven
More information about the Python-list
mailing list