[Python-ideas] Python's Source of Randomness and the random.py module Redux
4kir4.1i at gmail.com
Thu Sep 10 20:06:28 CEST 2015
Donald Stufft <donald at stufft.io> writes:
> Essentially, there are three basic types of uses of random (the concept, not
> the module). Those are:
> 1. People/usecases who absolutely need deterministic output given a seed and
> for whom security properties don't matter.
> 2. People/usecases who absolutely need a cryptographically random output and
> for whom having a deterministic output is a downside.
> 3. People/usecases that fall somewhere in between where it may or may not be
> security sensitive or it may not be known if it's security sensitive.
> The people in group #1 are currently, in the Python standard library, best
> served using the MT random source as it provides exactly the kind of determinsm
> they need. The people in group #2 are currently, in the Python standard
> library, best served using os.urandom (either directly or via
> However, the third case is the one that Theo's suggestion is attempting to
> solve. In the current landscape, the security minded folks will tell these
> people to use os.urandom/random.SystemRandom and the performance or otherwise
> less security minded folks will likely tell them to just use random.py. Leaving
> these people with a random that is not cryptographically safe.
"security minded folks"  recommend "always use os.urandom()" and
advise against *random* module [2,3] despite being aware of
i.e., if they are right then *random* module probably only need to care
about group #1 and avoid creating the false sense of security in group #3.
More information about the Python-ideas