Is this secure?

Robert Kern robert.kern at
Wed Feb 24 04:09:36 CET 2010

On 2010-02-23 20:43 , Steven D'Aprano wrote:
> On Wed, 24 Feb 2010 02:40:13 +0000, Steven D'Aprano wrote:
>> On Tue, 23 Feb 2010 15:36:02 +0100, mk wrote:
>>> The question is: is this secure? That is, can the string generated this
>>> way be considered truly random?
>> Putting aside the philosophical question of what "truly random" means, I
>> presume you mean that the letters are uniformly distributed. The answer
>> to that is, they don't like uniformly distributed.
> Er, they don't *look* uniformly distributed.
> (Of course, being random, perhaps they are and I just got unlucky.)

You'd have to be very, *very* unlucky to get a sample of that size so far from 
uniformly distributed if the generating process actually were uniform.

Of course, uniformity isn't really necessary. You just need enough entropy in 
the distribution (amongst other things like protection of the seed from being 
known or guessed). A skewed distribution of characters is perfectly fine 
provided that you had enough characters in the password to meet the desired 
entropy requirement. A skewed distribution does require more characters to meet 
a specified entropy requirement than a uniform distribution, of course.

That said, for a naive strategy like "pick an independent random character, 
repeat", you should just use a uniform distribution. It makes the analysis 
easier. Worthwhile generators that give skewed distributions usually do so for a 
good reason, like generating pronounceable passwords.

Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
  that is made terrible by our own mad attempt to interpret it as though it had
  an underlying truth."
   -- Umberto Eco

More information about the Python-list mailing list