Is this secure?

Steven D'Aprano steven at REMOVE.THIS.cybersource.com.au
Wed Feb 24 03:07:42 CET 2010


On Tue, 23 Feb 2010 15:36:02 +0100, mk wrote:

> Hello,
> 
> I need to generate passwords and I think that pseudo-random generator is
> not good enough, frankly. So I wrote this function:
[snip]
> (yes I know that this way generated string will not contain 'z' because
> 99/4 + 97 = 121 which is 'y')

You're worried about the security of the PRNG but then generate a TWO to 
FIVE character lowercase password with no digits, punctuation or the 
letter 'z'? That's priceless!

Python's PRNG is not suitable for producing cryptographically strong 
streams of random bytes, but it is perfectly strong enough for generating 
good passwords.



> The question is: is this secure? 

No. 

You are wasting your time trying to fix something which isn't a problem, 
and introducing a much bigger problem instead. You are MUCH MUCH MUCH 
better off with a six or ten character password taken from upper and 
lowercase letters, plus digits, plus punctuation, than a four digit 
password taken from lowercase letters only. Even if the first case has 
some subtle statistical deviation from uniformity, and the second is 
"truly random" (whatever that means), it doesn't matter.

Nobody is going to crack your password because the password generator is 
0.01% more likely to generate a "G" than a "q". But they *will* brute-
force your password if you have a four digit password taken from a-y only.



> That is, can the string generated this
> way be considered truly random? 

Define truly random.



-- 
Steven



More information about the Python-list mailing list