Is that safe to use ramdom.random() for key to encrypt?
Rafael Durán Castañeda
rafadurancastaneda at gmail.com
Sun Jun 17 13:06:19 EDT 2012
El 17/06/12 06:48, Chris Angelico escribió:
> On Sun, Jun 17, 2012 at 2:18 PM, Steven D'Aprano
> <steve+comp.lang.python at pearwood.info> wrote:
>> Safe from what? What is your threat model? Are you worried about your
>> little sister reading your diary? Or the NSA discovering your plans to
>> assassinate the President? Or something in between?
>>
>> Python's random module is not cryptographically strong, which means that
>> it will probably take an organisation like the NSA, MI5, ASIO, Mossad,
>> etc. about 10 or 20 minutes to crack your password. But your little
>> sister will probably take a hundred million years to guess it.
> Your little sister would quite possibly be kept off by rot13, which
> everyone knows isn't cryptographically secure. All it takes is making
> something look encrypted and most people won't bother to try (plus
> it's the whole "this isn't public kthx" thing, which many people will
> respect).
>
> Of course, if you're just trying to fool the BOFH's technical manager,
> it's even easier.
>
> http://bofh.ch/newbofh/bofh4oct.html
>
> ChrisA
Hi,
When generating random strings I usually do something like this
wikepedia extract (http://en.wikipedia.org/wiki/Random_password_generator):
The language Python
<http://en.wikipedia.org/wiki/Python_%28programming_language%29>
includes a SystemRandom class that obtains cryptographic grade random
bits from /dev/urandom on a Unix-like system, including Linux and Mac OS
X, while on Windows it uses CryptGenRandom.^[4]
<http://en.wikipedia.org/wiki/Random_password_generator#cite_note-3>
^[5]
<http://en.wikipedia.org/wiki/Random_password_generator#cite_note-4>
Here is a simple Python 2 script that demonstrates the use of this class:
#!/usr/bin/python
import random, string
myrg= random.SystemRandom()
length= 10
# If you want non-English characters, remove the [0:52]
alphabet= string.letters[0:52] +string.digits
pw= str().join(myrg.choice(alphabet) for _in range(length))
print pw
Do you think is secure enough for token generation? (40 chars long tokens are used for password reset links in a website, there isn't any special security concern for the web).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20120617/4cf4d9d8/attachment.html>
More information about the Python-list
mailing list