Is this secure?

Paul Rubin no.email at nospam.invalid
Thu Feb 25 02:31:31 CET 2010


mk <mrkafk at gmail.com> writes:
> Anyway, the passwords for authorized users will be copied and pasted
> from email into in the application GUI which will remember it for
> them, so they will not have to remember and type them in. 

It occurs to me that you don't even need to mess with letters in that
case:

   password = os.urandom(5).encode('hex')

will generate a string of 10 hex digits that you can give to the user.
(That is for Python 2.x but I think it might be broken in Python 3).

It might be helpful if you could say what your application does, or
anyway give an idea of what its actual security requirements are.
Generating and emailing someone a random password is a fairly standard
method for (e.g.) web forums to verify that the person has supplied a
working email address, basically as a first level spam filter.  Your
scheme is probably ok for that.  If you're doing something with more
demanding security requirements, then as mentioned before, there is a
whole lot of stuff you have to pay attention to, and focusing narrowly
on password generation isn't that useful.



More information about the Python-list mailing list