[Python-Dev] PEP 506 secrets module

Nick Coghlan ncoghlan at gmail.com
Tue Oct 20 05:56:37 EDT 2015

On 20 October 2015 at 11:33, Victor Stinner <victor.stinner at gmail.com> wrote:
> 2015-10-20 11:11 GMT+02:00 Nick Coghlan <ncoghlan at gmail.com>:
>> Folks wanting to simulate die rolls should be using the random module
>> rather than the secrets module anyway,
> Hum, why? Dices are used in Casino where security matters because it
> costs money.

True, I was thinking of just-for-fun games, but in gambling games
unbiased randomness can be significantly more important.

> A bad API can be more likely misused and introduce security
> vulnerability. The C rand() API is a good example: 1+rand()%6 is not
> uniform...

"1 + secrets.randbelow(6)" would be uniform, though. As Tim pointed
out, the *lack* of flexibility in randbelow() is a feature here, since
it focuses on producing a uniformly random distribution of a given
size, which can then be transformed deterministically.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list