Is this secure?

mk mrkafk at
Wed Feb 24 21:06:00 CET 2010

On 2010-02-24 20:30, Michael Rudolf wrote:
>>> The reason is 256 % 26 != 0
>>> 256 mod 26 equals 22, thus your code is hitting a-v about 10% (256/26 is
>>> approx. 10) more often than w-z.
>> <Barbie voice>writing secure code is hard...
> So true. That's why one should stick to standard libs when it comes to
> crypto or security in general. It's just to easy to mess it up. Just ask
> Debian about whether touching OpenSSL was a good idea ;)

That was brain-dead hiccup, for crying out loud how could they do smth 
so stupid.

>> def gen_rand_word(n):
>> with open('/dev/urandom') as f:
>> return ''.join([chr(ord('a') + ord(x) % 26) for x in if ord(x)
>> > 22])
> Off-by-one-error: you're skipping len(range(22))==23 hits.

Argh, it's late here.

> Well, I really think that you should use repeated Random.choice on an
> alphabet.
> Or Random.Systemrandom.choice if you don't trust the PRNG.

I just posted a comparison with calculating std deviations for various 
methods - using os.urandom, SystemRandom.choice with seeding and without 

They all seem to have slightly different distributions.


More information about the Python-list mailing list