On Sat, 10 Mar 2018 16:35:47 +0100 Tom Tervoort <tomtervo...@gmail.com> wrote: > > I think there a quite some situations where unnecessarily long codes can > cause usability problems: when using a system > where users have to manually type in a random code (I frequently have to do > that when using the password manager on my > phone, for example) it's nice if you can save half of the time they have to > spend on that. Shorter codes can also be > converted to smaller QR codes, and to nicer URLs.
If you want shorter codes for specific scenarios then it's your responsibility (as an application developer) to adapt the token width *and* ensure that the chosen code length is still non-vulnerable. I think defaulting to 32 bytes for the Python standard library is good as: 1) it's more future-proof, even in the face of algorithm weaknesses which may make available better-than-brute-force methods in the future 2) it teaches developers the value of having sufficient entropy in tokens Also I disagree with the claim that 16 bytes is somehow better for usability. It's still a terribly long random string to type by hand and I hope nobody is inflicting that on their users. (I'm not sure what "smaller QR code" means. Given a QR code is basically a computer analysis-friendly glyph that you show your phone or other device to perform pattern recognition on, why does it matter whether the QR code is "small" or not?) > A user should be able to rely on the library > picking a good secure default. And that's exactly what the library does, apparently! Regards Antoine. _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/