On 17-4-2016 4:36, Steven D'Aprano wrote:
> And the documentation:
>
> https://docs.python.org/3.6/library/secrets.html
>
>
> Comments requested.
I've read about the "How many bytes should tokens use?" consideration. It
suggests that
to be secure, tokens need to have sufficient randomness. The default token
length is
subject to change at any time to remain secure against brute-force.
However the API allows you to supply any token length, even one that is (a lot)
shorter
than the default.
In view of the rationale for this new module ("Python's standard library makes
it too
easy for developers to inadvertently make serious security errors") should it
perhaps
not be allowed to use a value that is less than the default?
Hm, perhaps it should not; enforcing this could break code suddenly in the
future when
the default is raised...
Irmen
--
https://mail.python.org/mailman/listinfo/python-list
