[Python-ideas] Pre-PEP Adding A Secrets Module To The Standard Library
Steven D'Aprano
steve at pearwood.info
Mon Sep 21 18:10:59 CEST 2015
On Sat, Sep 19, 2015 at 06:40:32PM -0500, Tim Peters wrote:
> [Guido]
> > Thanks! I'd accept this (and I'd reject 504 at the same time). I like the
> > secrets name. I wonder though, should the PEP propose a specific set of
> > functions? (With the understanding that we might add more later.)
>
> The bikeshedding on that will be far more tedious than the
> implementation. I'll get it started :-)
>
> No attempt to be minimal here. More-than-less "obvious" is more important:
>
> Bound methods of a SystemRandom instance
> .randrange()
> .randint()
> .randbits()
> renamed from .getrandbits()
> .randbelow(exclusive_upper_bound)
> renamed from private ._randbelow()
> .choice()
While we're bike-shedding, I don't know that I like the name randbits,
since that always makes me expect a sequence of 0, 1 bits. But that's a
minor point.
When would somebody use randbelow(n) rather than randrange(n)?
Apart from the possible redundancy between rand[below|range], all the
above seem reasonable to me.
Are there use-cases for a strong random float between 0 and 1? If
so, is it sufficient to say secrets.randbelow(sys.maxsize)/sys.maxsize,
or should we offer secrets.random() and/or secrets.uniform(a, b)?
> Token functions
> .token_bytes(nbytes)
> another name for os.urandom()
> .token_hex(nbytes)
> same, but return string of ASCII hex digits
> .token_url(nbytes)
> same, but return URL-safe base64-encoded ASCII
I suggest adding a default length, say nbytes=32, with a note that the
default length is expected to increase in the future. Otherwise, how
will the naive user know what counts as a good, hard-to-attack length?
All of the above look good to me.
> .token_alpha(alphabet, nchars)
> string of `nchars` characters drawn uniformly
> from `alphabet`
What is the intention for this function? To use as passwords? Other than
that, it's not obvious to me what that would be used for.
--
Steve
More information about the Python-ideas
mailing list