[Python-ideas] Pre-PEP Adding A Secrets Module To The Standard Library

M.-A. Lemburg mal at egenix.com
Tue Sep 22 18:25:46 CEST 2015

On 22.09.2015 18:01, Brett Cannon wrote:
> On Tue, 22 Sep 2015 at 04:56 Nick Coghlan <ncoghlan at gmail.com> wrote:
>> On 22 September 2015 at 09:56, Stephen J. Turnbull <stephen at xemacs.org>
>> wrote:
>>> Steven D'Aprano writes:
>>>  > I wouldn't include punctuation [in the password alphabet] by
>>>  > default, as too many places still prohibit some, or all,
>>>  > punctuation characters.
>>> Do you really expect users to choose their own random passwords using
>>> this function?  I would expect that this function would be used for
>>> initial system-generated passwords (or system-enforced random
>>> passwords), and the system would have control over the admissible set.
>>> But users who have to conform to somebody else's rules much prefer
>>> obfuscated passwords that pass strength tests to random passwords in
>>> my experience.
>> Right, the primary use case here is "web developer creating a default
>> password for an automatically created admin account" (for example),
>> not "end user creating a password for an arbitrary service".
>> We don't want to overgeneralise the canned recipes - keep them dirt
>> simple, and if folks want something slightly different, we can go the
>> itertools path and have recipes in the documentation.
> Out of this whole proposal, this password function is the one I'm most
> worried about. As someone who has a project whose entire job is to generate
> consistent passwords, I can tell you it's a messy business that will just
> lead to never-ending complaints about "why didn't you include this as part
> of password alphabet" or "why did you choose that length". It just isn't
> worth the hassle when it isn't going to impact a majority of Python users.
> This can be something that web frameworks and other folks worry about.

Agreed. There are too many policies and regulations for
passwords out there. The stdlib is not the right place for this.

But the general purpose functionality of having a function
which returns a string of given length and characters from a
given set is useful for building routines which implement
such policies.

Just don't call it a password function :-)

How about: randstr(length, alphabet)

Marc-Andre Lemburg

Professional Python Services directly from the Experts (#1, Sep 22 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...           http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
2015-09-14: Released mxODBC Plone/Zope DA 2.2.3   http://egenix.com/go84
2015-09-26: Python Meeting Duesseldorf Sprint 2015          4 days to go
2015-10-21: Python Meeting Duesseldorf ...                 29 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-ideas mailing list