[Tutor] os.urandom()

[Steven D'Aprano]

On Sun, 8 Aug 2010 09:32:02 am Richard D. Moores wrote:
> On Sat, Aug 7, 2010 at 15:26, Alan Gauld <alan.gauld at btinternet.com> 
wrote:
> > Python is telling you its bytes with the b at the front.
> > The \x tells you they are hex values.
> >
> > (*)The fact its 5 is odd since you seem to pass 6 as an argument!
> > When I try it I get 6 bytes back.
>
> Yes, the number of bytes seems to <= 6, or is it?:

No, it's 6.

The underlying urandom generator *can* run out of entropy, but it will 
pause until there is enough entropy to generate sufficient random bytes 
rather than just supply too few bytes. In the worst case, where your 
computer has just started up (and hence has very little entropy), 
hasn't yet given you a GUI (and hence can't gather more entropy from 
mouse and keyboard events), and you've just asked for a wacking great 
pile of random bytes, urandom can lock up for *ages* waiting for more 
entropy so it can meet your request.



> >>> os.urandom(6)
> b'\xf1\x1c\x15\x83\x14\x0e'

Six bytes, each written in hex format \xNN.


> And what's with the l in b'l\xbb\xae\xb7\x0ft' ?

It's just a byte that happens to match the character "l" and therefore 
is printed as "l" instead of \x6c.


> I apologize to all for not explaining what I'm trying to accomplish.
> I just ran across os.urandom() and am trying to understand it. I have
> a script that I use to create passwords for my various website
> accounts, <http://tutoree7.pastebin.com/31AisCq1>, but wondered if
> website-permitted, but stronger passwords could be generated with the
> use of os.urandom(). At this point, I think not.

Extreme randomness of passwords is not actually a good thing. Generally 
people want to remember their passwords, in which case you want 
passwords which are random enough to be hard for others to guess while 
non-random enough for the owner to remember them.



-- 
Steven D'Aprano