Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <jeanpierreda@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.006
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'python.': 0.02; 'falls': 0.09; 'subject:language': 0.09; 'subject:string': 0.09; 'useless': 0.09; 'cc:addr:python-list': 0.11; 'assume': 0.14; 'wrote': 0.14; 'random': 0.14; 'fly': 0.16; 'subject:generation': 0.16; 'subject:random': 0.16; 'to:addr:pearwood.info': 0.16; 'to:addr:steve+comp.lang.python': 0.16; "to:name:steven d'aprano": 0.16; 'wrote:': 0.18; 'library': 0.18; '>>>': 0.22; 'aug': 0.22; 'cc:addr:python.org': 0.22; 'password.': 0.24; 'cc:2**0': 0.24; "i've": 0.25; 'header:In-Reply-To:1': 0.27; 'function': 0.29; 'am,': 0.29; "doesn't": 0.30; 'message-id:@mail.gmail.com': 0.30; '(which': 0.31; "d'aprano": 0.31; 'libraries': 0.31; 'steven': 0.31; 'class': 0.32; 'worked': 0.33; 'but': 0.35; 'received:google.com': 0.35; 'google': 0.35; 'there': 0.35; 'otherwise.': 0.36; 'passwords': 0.36; 'should': 0.36; 'so,': 0.37; "you're": 0.61; 'back': 0.62; 'guarantee': 0.63; 'kind': 0.63; 'choose': 0.64; 'secure': 0.71; 'generation.': 0.91; 'good,': 0.91; 'passwords,': 0.91; 'serious': 0.97
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=d9eddClFH9XbrrMQEKnpXL0WFFJFU9BG2tI8L29e75Q=; b=ppfhZknKnqjwpKutLBarDy5JCjaWjLGvQqYJKiEaKnqGXWKiiFLiWJU/ea4UMhymRv 5qHUUWBA+sqbRwUk3CZpmdJ/4s6t+hj6fTmpm9YgbNrYJSaJvy2yvbelUPgTQAO5EPSg WUf+m4jS2NKmtwkFtJ69xMx21tyy7ZVjveyZ3g8OCsFUv7ee1n3DjgI52txVbuUDEcLV NPcpzq3jvIRJkwjewJ9zRa69tMI1dIcg4y/Znon7PQo6AUuuYHg6x4ng98zESanal+59 cP3yF/q47jYZf9soygPb0Uxzcg6I1JF6r/UDaiYlU5UNuXGYbUnZ3XWkSPiyTatN+4SC nKCQ==
X-Received: by 10.224.103.198 with SMTP id l6mr55907382qao.47.1407695359791; Sun, 10 Aug 2014 11:29:19 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <53e79e46$0$29967$c3e8da3$5496439d@news.astraweb.com>
References: <14d94692-2257-4dfb-a82f-f1674a839233@googlegroups.com> <mailman.12817.1407674628.18130.python-list@python.org> <53e79e46$0$29967$c3e8da3$5496439d@news.astraweb.com>
From: Devin Jeanpierre <jeanpierreda@gmail.com>
Date: Sun, 10 Aug 2014 11:28:39 -0700
Subject: Re: Template language for random string generation
To: "Steven D'Aprano" <steve+comp.lang.python@pearwood.info>
Content-Type: text/plain; charset=UTF-8
Cc: "comp.lang.python" <python-list@python.org>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.12823.1407696946.18130.python-list@python.org>
Lines: 31
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1407696946 news.xs4all.nl 2954 [2001:888:2000:d::a6]:37619
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:75998

On Sun, Aug 10, 2014 at 9:31 AM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
>> (I've been working on this kind of thing with regexps, but it's still
>> incomplete.)
>>
>>> * Uses SystemRandom class (if available, or falls back to Random)
>>
>> This sounds cryptographically weak. Isn't the normal thing to do to
>> use a cryptographic hash function to generate a pseudorandom sequence?
>
> I don't think that using a good, but not cryptographically-strong, random
> number generator to generate passwords is a serious vulnerability. What's
> your threat model?

I've always wanted a password generator that worked on the fly based
off of a master password. If the passwords are generated randomly but
not cryptographically securely so, then given sufficiently many
passwords, the master password might be deduced. CSPRNGs guarantee
otherwise.

>> Someone should write a cryptographically secure pseudorandom number
>> generator library for Python. :(
>
> Here, let me google that for you

I should clarify that OpenSSL has one (which is what I assume you're
alluding to), but it doesn't let you choose the seed, so it's useless
for deterministic password generation. There are also lots of small
libraries some person wrote at some time, but that sounds shady. ;)

-- Devin