On Sun, Aug 10, 2014 at 9:31 AM, Steven D'Aprano <[email protected]> wrote: >> (I've been working on this kind of thing with regexps, but it's still >> incomplete.) >> >>> * Uses SystemRandom class (if available, or falls back to Random) >> >> This sounds cryptographically weak. Isn't the normal thing to do to >> use a cryptographic hash function to generate a pseudorandom sequence? > > I don't think that using a good, but not cryptographically-strong, random > number generator to generate passwords is a serious vulnerability. What's > your threat model?
I've always wanted a password generator that worked on the fly based off of a master password. If the passwords are generated randomly but not cryptographically securely so, then given sufficiently many passwords, the master password might be deduced. CSPRNGs guarantee otherwise. >> Someone should write a cryptographically secure pseudorandom number >> generator library for Python. :( > > Here, let me google that for you I should clarify that OpenSSL has one (which is what I assume you're alluding to), but it doesn't let you choose the seed, so it's useless for deterministic password generation. There are also lots of small libraries some person wrote at some time, but that sounds shady. ;) -- Devin -- https://mail.python.org/mailman/listinfo/python-list
