For generating secrets it's important to discourage usage of random module,
but use something like:
secret = ''.join('%02x' % ord(x) for x in os.urandom(128))
On Fri, Sep 21, 2012 at 7:50 PM, Jonathan Vanasco <jonat...@findmeon.com>wrote:
> Additionally you could provide help on how to generate such a secret (but
>> that's extra candy). I have looked through various parts of the
>> documentation and it is always set to something like 'seekrit' and similar,
>> but it is never mentioned how to make sure that this is secure.
>>
>
> fwiw, wordpress has had this feature for a while: the docs instruct you to
> visit the following url , which generates valid secret strings.
> http://api.wordpress.org/secret-key/1.1/
>
> i think most of the application scaffolds will generate a secret - but it
> might be useful feature to just have a secret-key generator on the
> pylonsproject.org site and referenced in the docs.
>
> I've also generally disliked the mod_authtkt for a few years. i've opted
> for an approach where the secret rotates based on the timestamp and/or
> ip/other data. it's a bit harder to set up in a clustered environment, but
> the tickets are HMAC with SHA512 with rotating keys. it doesn't make it
> unbreakable, but just a bit more of pain to break and with some sort of
> timed window before you need to break it again.
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-devel" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/pylons-devel/-/4dxNXUSoAPAJ.
>
> To post to this group, send email to pylons-devel@googlegroups.com.
> To unsubscribe from this group, send email to
> pylons-devel+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pylons-devel?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"pylons-devel" group.
To post to this group, send email to pylons-devel@googlegroups.com.
To unsubscribe from this group, send email to
pylons-devel+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-devel?hl=en.
