Is that safe to use ramdom.random() for key to encrypt?
Chris Angelico
rosuav at gmail.com
Sun Jun 17 18:41:57 EDT 2012
On Mon, Jun 18, 2012 at 3:06 AM, Rafael Durán Castañeda
<rafadurancastaneda at gmail.com> wrote:
> The language Python includes a SystemRandom class that obtains cryptographic
> grade random bits from /dev/urandom on a Unix-like system, including Linux
> and Mac OS X, while on Windows it uses CryptGenRandom.
/dev/urandom isn't actually cryptographically secure; it promises not
to block, even if it has insufficient entropy. But in your instance...
> Do you think is secure enough for token generation? (40 chars long tokens
> are used for password reset links in a website, there isn't any special
> security concern for the web).
... it probably is fine, since password reset tokens don't need to be
as secure as encryption keys (if anyone _does_ figure out how to
predict your password resets, all they'll be able to do is lock people
out of their accounts one by one, not snoop on them all unbeknownst,
and you'll be able to see log entries showing the resets - you DO log
them, right?). In fact, you could probably get away with something
pretty trivial there, like a SHA1 of the current timestamp, the user
name, and the user's current password hash. The chances that anybody
would be able to exploit that are fairly low, given that you're not a
bank or other high-profile target.
ChrisA
More information about the Python-list
mailing list