Password validation security issue
steve+comp.lang.python at pearwood.info
Mon Mar 3 03:30:52 CET 2014
On Sun, 02 Mar 2014 15:10:06 -0800, Renato wrote:
> I would like to thank every one who posted a reply. I learnt a lot from
> you, guys! I appreciate your attention and your help :)
> I took a class on Computer Simulation last year. It was told that
> deterministic (pseudo-)random numbers are excellent for simulations,
> because they allow debugging and replication when using a seed(). But it
> was said that deterministic random numbers weren't indeed suitable for
> encryption and security issues in general. For this purpose,
> non-deterministc stochastic methods would be more indicated.
Either you have misunderstood, or you have been told something incorrect.
You don't in general want non-deterministic stochastic randomness,
because you can't control it and you can't make any guarantees about it.
Stochastic randomness nearly always has deviations from uniformity which
can be exploited, that is, it is less random than you might think. For
Nor do should you use deterministic PRNGs like the Mersenne Twister, not
because they are deterministic, but because they aren't cryptographically
The right approach is to use a deterministic PRNG which is deliberately
designed for use in cryptographic applications, and then add in a source
of entropy (which might be non-deterministic, like thermal noise or the
output of radioactive decay). On Unix systems, the OS already does this
> One last thing, about my original question. So, the only way of
> encapsulating a Python script content is to code a simple binary program
> to call it?
I don't understand this question. Can you explain more?
More information about the Python-list