Open stefanesterer opened 3 years ago
DairAidarkhanov
commented
2 years ago Hey, thank you for the issue! I would like to help you and publish the new version of the package. Unfortunately, I was not granted the rights to this repository to make changes.
The original author of this package does not respond, so it's unknown when the fix will be released.
puyuan
commented
2 years ago Sorry for the late reply. The case you described about low entropy is indeed a unique scenario. I am not an expert, but I did some research. The secure generator used in this library uses python's urandom function, which in most cases is secure(even under low entropy), with the exception of a brief moment after the machine reboots.
You can read more about urandom and entropy in the below link. In summary, after python 3.5, a blocking urandom was implemented to ensure its secure, but later reverted due to complications of blocking python programs who use random generators running right after reboot. I would say python's urandom has some issues under low entropy, but should be safe most of the time.
First: Thx for providing this python implementation!
In one of my projects we are migrating applications from e.g. kubernetes java pods to services comprised of AWS lambdas. Right now we are using a stateful id generator (based on twitter snowflake, https://developer.twitter.com/en/docs/twitter-ids).
Nanoid (with it's javascript and python implementation) seems like a perfect match for this new use case. My only concern/question is, if by using nanoid in AWS lambda we are running into problems with nanoid not having enough entropy to create secure ids.
The readme says:
For the node.js AWS lambda environment we should be fine (Andrey confirmed that: https://github.com/ai/nanoid/issues/289#issuecomment-878055291).
I'm a little bit unsure about the python implementation. Do you have experiences / insights to share?
Thx for your help!