Re: Is that safe to use ramdom.random() for key to encrypt?

Sun, 17 Jun 2012 10:09:47 -0700 

El 17/06/12 06:48, Chris Angelico escribió:

On Sun, Jun 17, 2012 at 2:18 PM, Steven D'Aprano
<steve+comp.lang.pyt...@pearwood.info>  wrote:

Safe from what? What is your threat model? Are you worried about your
little sister reading your diary? Or the NSA discovering your plans to
assassinate the President? Or something in between?

Python's random module is not cryptographically strong, which means that
it will probably take an organisation like the NSA, MI5, ASIO, Mossad,
etc. about 10 or 20 minutes to crack your password. But your little
sister will probably take a hundred million years to guess it.

Your little sister would quite possibly be kept off by rot13, which
everyone knows isn't cryptographically secure. All it takes is making
something look encrypted and most people won't bother to try (plus
it's the whole "this isn't public kthx" thing, which many people will
respect).

Of course, if you're just trying to fool the BOFH's technical manager,
it's even easier.

http://bofh.ch/newbofh/bofh4oct.html

ChrisA

Hi,
When generating random strings I usually do something like this wikepedia extract (http://en.wikipedia.org/wiki/Random_password_generator):
The language Python <http://en.wikipedia.org/wiki/Python_%28programming_language%29> includes a SystemRandom class that obtains cryptographic grade random bits from /dev/urandom on a Unix-like system, including Linux and Mac OS X, while on Windows it uses CryptGenRandom.^[4] <http://en.wikipedia.org/wiki/Random_password_generator#cite_note-3> ^[5] <http://en.wikipedia.org/wiki/Random_password_generator#cite_note-4> Here is a simple Python 2 script that demonstrates the use of this class: 

#!/usr/bin/python
import  random,  string
myrg=  random.SystemRandom()
length=  10
# If you want non-English characters, remove the [0:52]
alphabet=  string.letters[0:52]  +string.digits
pw=  str().join(myrg.choice(alphabet)  for  _in  range(length))
print  pw

Do you think is secure enough for token generation? (40 chars long tokens are 
used for password reset links in a website, there isn't any special security 
concern for the web).



-- 
http://mail.python.org/mailman/listinfo/python-list

Reply via email to