[Python-Dev] PEP 506 secrets module
Chris Rebert
clp2 at rebertia.com
Fri Oct 16 01:33:37 EDT 2015
On Thu, Oct 15, 2015 at 5:57 PM, Steven D'Aprano <steve at pearwood.info> wrote:
> Hi,
>
> As extensively discussed on Python-Ideas, the secrets module and PEP 506
> is (I hope) ready for pronouncement.
>
> https://www.python.org/dev/peps/pep-0506/
{{{
Comparison To Other Languages
[...]
Javascript
Based on a rather cursory search [20], there do not appear to be any
well-known standard functions for producing strong random values in
Javascript,
[...]
[20] Volunteers and patches are welcome.
}}}
Looks like client-side JS has window.crypto.getRandomValues() for this:
https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues
Similarly, Node.js offers crypto.randomBytes():
https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback
Also, it's spelled "JavaScript", not "Javascript".
Additionally, it looks like there's some kind of bold formatting error
in the answer to "Q: What about a password generator?" in the HTML
version of the PEP.
> There is code and tests here:
>
> https://bitbucket.org/sdaprano/secrets
I think there's a timing-related flaw in the current fallback
implementation of equal():
https://bitbucket.org/sdaprano/secrets/pull-requests/1
Cheers,
Chris
--
https://github.com/cvrebert
More information about the Python-Dev
mailing list