[Python-ideas] Pre-PEP Adding A Secrets Module To The Standard Library
Stephen J. Turnbull
stephen at xemacs.org
Tue Sep 22 14:07:59 CEST 2015
Steven D'Aprano writes:
> On Tue, Sep 22, 2015 at 08:56:24AM +0900, Stephen J. Turnbull wrote:
> I don't know. Perhaps they will. I'm not entirely sure what the
> use-case of this password generator is, since I'm pretty sure that
> "real" password generators have to deal with far more complicated
Actually, I think they'll do what randrange does: take a seed from
urandom() and values from a (CS)PRNG based on that seed, and throw
away an out-of-range subset. Ie, they'll just generate passwords
based on a simple rule about the alphabet and keep trying until they
get one that passes the strength tester.
> > I would expect that this function would be used for
> > initial system-generated passwords (or system-enforced random
> > passwords), and the system would have control over the admissible set.
> Perhaps so. But then how does the application get the password to the
> user? Via unencypted email, like mailman does?
Well, I hand them out to my students in class on business cards. But
an HTTPS connection could also work.
> I expect that the only use-case for an application generating a
> password for the user would be "low security" applications where
> the password has low value.
That could very well be true.
More information about the Python-ideas