Tim Peters writes:
[Stephen J. Turnbull
] ... (2) ISTM there are no likely attack vectors due to choice of default RNG in random.random, based on Tim's analysis, but AFAICS he's unwilling to say it's implausible that they exist. (Sorry for the double negative!) I take this to mean that there may be real risk.
Oh, _many_ attacks are possible. Many are even plausible. For example, while Python's _default_ seeding is based on urandom() setting MT's entire massive state (no more secure way exists), a user making up their own seed is quite likely to do so in a way vulnerable to a "poor seeding" attack.
I'm not sure what you mean to say, but I don't count that as "due to choice of default RNG". That's foot-shooting of the kind we can't do anything about anyway, and if *that* is what Nick is worried about, I'm worried about Nick. ;-) *I* am more worried about attacks we don't know about yet (or at least haven't been mentioned in this thread), and maybe even haven't been invented yet. I presume Nick is, too.
"Password generators" should be the least of our worries. Best I can tell, the PHP paper's highly technical MT attack against those has scant chance of working in Python except when random.choice(x) is known to have len(x) a power of 2.
That's genuinely comforting to read (even though it's the second or third time I've read it ;-). But I'm still nervous about the unknown.