On Mon, 18 Jun 2012 08:41:57 +1000, Chris Angelico wrote: > On Mon, Jun 18, 2012 at 3:06 AM, Rafael Durán Castañeda > <rafadurancastan...@gmail.com> wrote: >> The language Python includes a SystemRandom class that obtains >> cryptographic grade random bits from /dev/urandom on a Unix-like >> system, including Linux and Mac OS X, while on Windows it uses >> CryptGenRandom. > > /dev/urandom isn't actually cryptographically secure; it promises not to > block, even if it has insufficient entropy. But in your instance...
Correct. /dev/random is meant to be used for long-lasting cryptographically-significant uses, such as keys. urandom is not. http://en.wikipedia.org/wiki//dev/random >> Do you think is secure enough for token generation? (40 chars long >> tokens are used for password reset links in a website, there isn't any >> special security concern for the web). > > ... it probably is fine, since password reset tokens don't need to be as > secure as encryption keys (if anyone _does_ figure out how to predict > your password resets, all they'll be able to do is lock people out of > their accounts one by one, not snoop on them all unbeknownst, and you'll > be able to see log entries showing the resets - you DO log them, > right?). In fact, you could probably get away with something pretty > trivial there, like a SHA1 of the current timestamp, the user name, and > the user's current password hash. The chances that anybody would be able > to exploit that are fairly low, given that you're not a bank or other > high-profile target. If I were an identity thief, I would *love* low-profile targets. Even though the payoff would be reduced, the cost would be reduced even more: - they tend to be complacent, even more so than high-profile targets; - they tend to be smaller, with fewer resources for security; - mandatory disclosure laws tend not to apply to them; - they don't tend to have the resources to look for anomalous usage patterns, if they even cared enough to want to. If there was a Facebook-like website that wasn't Facebook[1], but still with multiple tens of thousands of users, I reckon a cracker who didn't vandalise people's accounts could steal private data from it for *years* before anyone noticed, and months or years more before they did something about it. [1] And very likely a Facebook-like website that *was* Facebook. I reckon the odds are about 50:50 that FB would prefer to keep a breach secret than risk the bad publicity by fixing it. -- Steven -- http://mail.python.org/mailman/listinfo/python-list