Introducing the secrets module
Steven D'Aprano
steve at pearwood.info
Sat Apr 16 22:36:12 EDT 2016
I'm pleased to announce a new standard library module for Python 3.6 and
better, to aid in generating secure tokens for authentication and other
secrets.
Last year, the founder of OpenBSD Theo de Raadt contacted Guido van Rossum
with concerns that the Python standard library made it too easy for people
to generate insecure tokens, session keys and related data.
The problem is that developers may use the random module for generating
tokens which need to be hard to guess. However the random module uses the
Mersenne Twister by default, which is designed for simulation and modelling
and is not suitable for cryptographic purposes. Consequently such tokens
may be insecure.
After much discussion, it was decided to leave the random module as-is, but
introduce a new module which would can be used to generate hard-to-guess
(cryptographically strong) tokens and random numbers: the secrets module.
See the PEP for more details:
https://www.python.org/dev/peps/pep-0506/
And the documentation:
https://docs.python.org/3.6/library/secrets.html
Comments requested.
--
Steven
More information about the Python-list
mailing list