Steven D'Aprano writes:
On Tue, Sep 22, 2015 at 08:56:24AM +0900, Stephen J. Turnbull wrote:
I don't know. Perhaps they will. I'm not entirely sure what the use-case of this password generator is, since I'm pretty sure that "real" password generators have to deal with far more complicated rules.
Actually, I think they'll do what randrange does: take a seed from urandom() and values from a (CS)PRNG based on that seed, and throw away an out-of-range subset. Ie, they'll just generate passwords based on a simple rule about the alphabet and keep trying until they get one that passes the strength tester.
I would expect that this function would be used for initial system-generated passwords (or system-enforced random passwords), and the system would have control over the admissible set.
Perhaps so. But then how does the application get the password to the user? Via unencypted email, like mailman does?
Well, I hand them out to my students in class on business cards. But an HTTPS connection could also work.
I expect that the only use-case for an application generating a password for the user would be "low security" applications where the password has low value.
That could very well be true.