Template language for random string generation
Ian Kelly
ian.g.kelly at gmail.com
Sun Aug 10 12:38:16 EDT 2014
On Aug 10, 2014 6:45 AM, "Devin Jeanpierre" <jeanpierreda at gmail.com> wrote:
> > * Uses SystemRandom class (if available, or falls back to Random)
>
> This sounds cryptographically weak. Isn't the normal thing to do to
> use a cryptographic hash function to generate a pseudorandom sequence?
You mean in the fallback case, right? I'm no crypto expert, but I've never
heard of SystemRandom being contra-recommended for crypto, and even the
Python docs recommend it.
The output of even a cryptographically strong hash isn't going to have any
more entropy than the input, so if the input is predictable then the output
will be also. One approach I'm aware of, which is used by Django, is to
hash the RNG state along with the time and a local secret In order to
reseed the RNG unpredictably whenever randomness is required. That creates
a configuration burden in order to establish the secret, though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20140810/c9aa5cec/attachment.html>
More information about the Python-list
mailing list