[Python-ideas] Pre-PEP Adding A Secrets Module To The Standard Library

Stephen J. Turnbull stephen at xemacs.org
Tue Sep 22 14:07:59 CEST 2015

Steven D'Aprano writes:
 > On Tue, Sep 22, 2015 at 08:56:24AM +0900, Stephen J. Turnbull wrote:

 > I don't know. Perhaps they will. I'm not entirely sure what the
 > use-case of this password generator is, since I'm pretty sure that
 > "real" password generators have to deal with far more complicated
 > rules.

Actually, I think they'll do what randrange does: take a seed from
urandom() and values from a (CS)PRNG based on that seed, and throw
away an out-of-range subset.  Ie, they'll just generate passwords
based on a simple rule about the alphabet and keep trying until they
get one that passes the strength tester.

 > > I would expect that this function would be used for
 > > initial system-generated passwords (or system-enforced random
 > > passwords), and the system would have control over the admissible set.
 > Perhaps so. But then how does the application get the password to the 
 > user? Via unencypted email, like mailman does?

Well, I hand them out to my students in class on business cards.  But
an HTTPS connection could also work.

 > I expect that the only use-case for an application generating a
 > password for the user would be "low security" applications where
 > the password has low value.

That could very well be true.

More information about the Python-ideas mailing list