Introducing the secrets module
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Sun Apr 17 08:40:00 EDT 2016
On 17-4-2016 4:36, Steven D'Aprano wrote:
> And the documentation:
>
> https://docs.python.org/3.6/library/secrets.html
>
>
> Comments requested.
I've read about the "How many bytes should tokens use?" consideration. It suggests that
to be secure, tokens need to have sufficient randomness. The default token length is
subject to change at any time to remain secure against brute-force.
However the API allows you to supply any token length, even one that is (a lot) shorter
than the default.
In view of the rationale for this new module ("Python's standard library makes it too
easy for developers to inadvertently make serious security errors") should it perhaps
not be allowed to use a value that is less than the default?
Hm, perhaps it should not; enforcing this could break code suddenly in the future when
the default is raised...
Irmen
More information about the Python-list
mailing list