Make a unique filesystem path, without creating the file

Steven D'Aprano steve at pearwood.info
Mon Feb 22 19:03:06 EST 2016


On Tue, 23 Feb 2016 06:22 am, Jon Ribbens wrote:

> Suppose you had code like this:
> 
> filename = binascii.hexlify(os.urandom(16)).decode("ascii")
> 
> Do we really think that is insecure or that there are any practical
> attacks against it? It would be basically the same as saying that
> urandom() is broken, surely?

Correct. Any attack against urandom would be an attack on this. You would
just have to trust that the kernel devs have made urandom as secure as
possible, and pay no attention to what the man page says, as its wrong.

By the way, Python 3.6 will have (once Guido formally approves it) a new
module, "secrets", for securely generating (pseudo)random tokens like this:

import secrets
filename = secrets.token_hex(16)


https://www.python.org/dev/peps/pep-0506/




-- 
Steven



More information about the Python-list mailing list