Closed avri-schneider closed 3 months ago
Thanks for your interest in PyOTP. Your idea of the current implementation is not correct, and PyOTP already uses the cryptographically strong system random number generator instead of the Mersenne Twister implementation that the warnings you cited refer to. Please take a look at https://github.com/pyauth/pyotp/blob/develop/src/pyotp/compat.py and https://github.com/pyauth/pyotp/blob/develop/src/pyotp/__init__.py#L7 to see how this is implemented.
Thanks for this and sorry for opening this issue - I missed this 🙏
Description: The current implementation of the
random_base32
function uses therandom
module to generate random base32 strings. However, therandom
module is not suitable for cryptographic purposes as it is not designed to be secure. Thesecrets
module, introduced in Python 3.6, is specifically designed for generating cryptographically secure random numbers.Current Implementation:
Proposed Change: Replace the use of the
random
module with thesecrets
module to ensure the function is suitable for cryptographic applications.Updated Implementation:
References:
Python
random
module documentationsecrets
for cryptographic applications."Python
secrets
module documentationsecrets
module is used for generating cryptographically strong random numbers suitable for managing data such as passwords, account authentication, security tokens, and related secrets."PEP 506 – Adding A Secrets Module To The Standard Library
secrets
, to Python's standard library. This module will provide functions for securely generating random numbers, suitable for use in cryptographic applications."Impact: Updating the function to use the
secrets
module will enhance the security of the generated base32 strings, making them suitable for use in cryptographic contexts such as generating secure tokens and passwords.