On 2016-02-23, Steven D'Aprano <st...@pearwood.info> wrote: > On Tue, 23 Feb 2016 06:22 am, Jon Ribbens wrote: >> Suppose you had code like this: >> >> filename = binascii.hexlify(os.urandom(16)).decode("ascii") >> >> Do we really think that is insecure or that there are any practical >> attacks against it? It would be basically the same as saying that >> urandom() is broken, surely? > > Correct. Any attack against urandom would be an attack on this. You would > just have to trust that the kernel devs have made urandom as secure as > possible, and pay no attention to what the man page says, as its wrong. > > By the way, Python 3.6 will have (once Guido formally approves it) a new > module, "secrets", for securely generating (pseudo)random tokens like this: > > import secrets > filename = secrets.token_hex(16)
+1 -- https://mail.python.org/mailman/listinfo/python-list