<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
El 17/06/12 06:48, Chris Angelico escribió:
<blockquote
cite="mid:CAPTjJmomCKn5zBYmNVz6Wit1ETurZ-NvcEze9JfkCx+24-g+hQ@mail.gmail.com"
type="cite">
<pre wrap="">On Sun, Jun 17, 2012 at 2:18 PM, Steven D'Aprano
<a class="moz-txt-link-rfc2396E" href="mailto:steve+comp.lang.python@pearwood.info"><steve+comp.lang.python@pearwood.info></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Safe from what? What is your threat model? Are you worried about your
little sister reading your diary? Or the NSA discovering your plans to
assassinate the President? Or something in between?
Python's random module is not cryptographically strong, which means that
it will probably take an organisation like the NSA, MI5, ASIO, Mossad,
etc. about 10 or 20 minutes to crack your password. But your little
sister will probably take a hundred million years to guess it.
</pre>
</blockquote>
<pre wrap="">
Your little sister would quite possibly be kept off by rot13, which
everyone knows isn't cryptographically secure. All it takes is making
something look encrypted and most people won't bother to try (plus
it's the whole "this isn't public kthx" thing, which many people will
respect).
Of course, if you're just trying to fool the BOFH's technical manager,
it's even easier.
<a class="moz-txt-link-freetext" href="http://bofh.ch/newbofh/bofh4oct.html">http://bofh.ch/newbofh/bofh4oct.html</a>
ChrisA
</pre>
</blockquote>
Hi,<br>
<br>
When generating random strings I usually do something like this
wikepedia extract (<a class="moz-txt-link-freetext" href="http://en.wikipedia.org/wiki/Random_password_generator">http://en.wikipedia.org/wiki/Random_password_generator</a>):<br>
<p>The language <a
href="http://en.wikipedia.org/wiki/Python_%28programming_language%29"
title="Python (programming language)">Python</a> includes a
SystemRandom class that obtains cryptographic grade random bits
from /dev/urandom on a Unix-like system, including Linux and Mac
OS X, while on Windows it uses CryptGenRandom.<sup id="cite_ref-3"
class="reference"><a
href="http://en.wikipedia.org/wiki/Random_password_generator#cite_note-3"><span>[</span>4<span>]</span></a></sup><sup
id="cite_ref-4" class="reference"><a
href="http://en.wikipedia.org/wiki/Random_password_generator#cite_note-4"><span>[</span>5<span>]</span></a></sup>
Here is a simple Python 2 script that demonstrates the use of this
class:</p>
<div dir="ltr" class="mw-geshi mw-code mw-content-ltr">
<div class="python source-python">
<pre class="de1"><span class="co1">#!/usr/bin/python</span>
<span class="kw1">import</span> <span class="kw3">random</span><span class="sy0">,</span> <span class="kw3">string</span>
myrg <span class="sy0">=</span> <span class="kw3">random</span>.<span class="me1">SystemRandom</span><span class="br0">(</span><span class="br0">)</span>
length <span class="sy0">=</span> <span class="nu0">10</span>
<span class="co1"># If you want non-English characters, remove the [0:52]</span>
alphabet <span class="sy0">=</span> <span class="kw3">string</span>.<span class="me1">letters</span><span class="br0">[</span><span class="nu0">0</span>:<span class="nu0">52</span><span class="br0">]</span> + <span class="kw3">string</span>.<span class="me1">digits</span>
pw <span class="sy0">=</span> <span class="kw2">str</span><span class="br0">(</span><span class="br0">)</span>.<span class="me1">join</span><span class="br0">(</span>myrg.<span class="me1">choice</span><span class="br0">(</span>alphabet<span class="br0">)</span> <span class="kw1">for</span> _ <span class="kw1">in</span> <span class="kw2">range</span><span class="br0">(</span>length<span class="br0">)</span><span class="br0">)</span>
<span class="kw1">print</span> pw
Do you think is secure enough for token generation? (40 chars long tokens are used for password reset links in a website, there isn't any special security concern for the web).
</pre>
</div>
</div>
<br>
</body>
</html>