On Mon, Jun 18, 2012 at 3:06 AM, Rafael Durán Castañeda <rafadurancastan...@gmail.com> wrote: > The language Python includes a SystemRandom class that obtains cryptographic > grade random bits from /dev/urandom on a Unix-like system, including Linux > and Mac OS X, while on Windows it uses CryptGenRandom.
/dev/urandom isn't actually cryptographically secure; it promises not to block, even if it has insufficient entropy. But in your instance... > Do you think is secure enough for token generation? (40 chars long tokens > are used for password reset links in a website, there isn't any special > security concern for the web). ... it probably is fine, since password reset tokens don't need to be as secure as encryption keys (if anyone _does_ figure out how to predict your password resets, all they'll be able to do is lock people out of their accounts one by one, not snoop on them all unbeknownst, and you'll be able to see log entries showing the resets - you DO log them, right?). In fact, you could probably get away with something pretty trivial there, like a SHA1 of the current timestamp, the user name, and the user's current password hash. The chances that anybody would be able to exploit that are fairly low, given that you're not a bank or other high-profile target. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
