Re: Introducing the secrets module
On Sun, 17 Apr 2016 10:40 pm, Irmen de Jong wrote: > On 17-4-2016 4:36, Steven D'Aprano wrote: > >> And the documentation: >> >> https://docs.python.org/3.6/library/secrets.html >> >> >> Comments requested. > > I've read about the "How many bytes should tokens use?" consideration. It > suggests that to be secure, tokens need to have sufficient randomness. The > default token length is subject to change at any time to remain secure > against brute-force. However the API allows you to supply any token > length, even one that is (a lot) shorter than the default. > In view of the rationale for this new module ("Python's standard library > makes it too easy for developers to inadvertently make serious security > errors") should it perhaps not be allowed to use a value that is less than > the default? > > Hm, perhaps it should not; enforcing this could break code suddenly in the > future when the default is raised... Correct. Also, consider that random tokens are not necessarily for high-security purposes. Consider Youtube URLs that are intended to be hard to guess and unpredictable, but permanent: http://www.youtube.com/watch?v=kQFKtI6gn9Y There are no security implications from revealing or guessing this URL. On the other hand: https://freedom-to-tinker.com/blog/vitaly/gone-in-six-characters-short-urls-considered-harmful-for-cloud-services/ -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Introducing the secrets module
On 17-4-2016 4:36, Steven D'Aprano wrote: > And the documentation: > > https://docs.python.org/3.6/library/secrets.html > > > Comments requested. I've read about the "How many bytes should tokens use?" consideration. It suggests that to be secure, tokens need to have sufficient randomness. The default token length is subject to change at any time to remain secure against brute-force. However the API allows you to supply any token length, even one that is (a lot) shorter than the default. In view of the rationale for this new module ("Python's standard library makes it too easy for developers to inadvertently make serious security errors") should it perhaps not be allowed to use a value that is less than the default? Hm, perhaps it should not; enforcing this could break code suddenly in the future when the default is raised... Irmen -- https://mail.python.org/mailman/listinfo/python-list
Introducing the secrets module
I'm pleased to announce a new standard library module for Python 3.6 and better, to aid in generating secure tokens for authentication and other secrets. Last year, the founder of OpenBSD Theo de Raadt contacted Guido van Rossum with concerns that the Python standard library made it too easy for people to generate insecure tokens, session keys and related data. The problem is that developers may use the random module for generating tokens which need to be hard to guess. However the random module uses the Mersenne Twister by default, which is designed for simulation and modelling and is not suitable for cryptographic purposes. Consequently such tokens may be insecure. After much discussion, it was decided to leave the random module as-is, but introduce a new module which would can be used to generate hard-to-guess (cryptographically strong) tokens and random numbers: the secrets module. See the PEP for more details: https://www.python.org/dev/peps/pep-0506/ And the documentation: https://docs.python.org/3.6/library/secrets.html Comments requested. -- Steven -- https://mail.python.org/mailman/listinfo/python-list