Is this secure?

Paul Rubin no.email at nospam.invalid
Wed Feb 24 03:50:52 CET 2010


mk <mrkafk at gmail.com> writes:
>> You might look at the sitewww.diceware.comfor an approach to this,
>> which you can implement with a program.  The docs there are pretty
>> thoughtful and may help you understand the relevant issues.
>
> Thanks. But I would also be grateful for indicating what is wrong/ugly
> in my code.

The stuff about converting 4 random bytes to a decimal string and then
peeling off 2 digits at a time is pretty awful, and notice that since
2**32 is 4294967296, in the cases where you get 10 digits, the first
2-digit pair is never higher than 42.  There are also some effects on
the lower digits.  The total entropy loss probably isn't fatal but as
described, it's ugly.

I'd write your code something like this:

    nletters = 5

    def randomword(n):
        with open('/dev/urandom') as f:
            return ''.join([chr(ord('a')+ord(c)%26) for c in f.read(n)])

    print randomword(nletters)

I wouldn't rely on a 5 letter combination for a high security
application, but it might be ok for some low security purposes.  Two
random 5-letter combinations separated by a hyphen will be much better,
and is probably easier to type than a solid block of 10 letters.



More information about the Python-list mailing list