On Tue, 23 Feb 2010 15:36:02 +0100, mk wrote: > Hello, > > I need to generate passwords and I think that pseudo-random generator is > not good enough, frankly. So I wrote this function: [snip] > (yes I know that this way generated string will not contain 'z' because > 99/4 + 97 = 121 which is 'y')
You're worried about the security of the PRNG but then generate a TWO to FIVE character lowercase password with no digits, punctuation or the letter 'z'? That's priceless! Python's PRNG is not suitable for producing cryptographically strong streams of random bytes, but it is perfectly strong enough for generating good passwords. > The question is: is this secure? No. You are wasting your time trying to fix something which isn't a problem, and introducing a much bigger problem instead. You are MUCH MUCH MUCH better off with a six or ten character password taken from upper and lowercase letters, plus digits, plus punctuation, than a four digit password taken from lowercase letters only. Even if the first case has some subtle statistical deviation from uniformity, and the second is "truly random" (whatever that means), it doesn't matter. Nobody is going to crack your password because the password generator is 0.01% more likely to generate a "G" than a "q". But they *will* brute- force your password if you have a four digit password taken from a-y only. > That is, can the string generated this > way be considered truly random? Define truly random. -- Steven -- http://mail.python.org/mailman/listinfo/python-list
