search

pyauth / pyotp

Python One-Time Password Library
https://pyauth.github.io/pyotp/
Other
3k stars 324 forks source link

Change random to secrets #45

Closed lightsing closed 7 years ago

lightsing commented 7 years ago

The random module isn't for security purposes. Change to secrets module.

Warning The pseudo-random generators of this module should not be used for security purposes. For security or cryptographic uses, see the secrets module.

https://docs.python.org/3.6/library/random.html

lightsing commented 7 years ago

I forget secrets module is new in Python 3.6. I will fix this.

kislyuk commented 7 years ago

This library maintains compatibility with Python 2.7 and 3.3+. The secrets vs. random split in Python 3.6+ is intended to make it easier for people to understand which sources of randomness are cryptographically reliable. Ultimately, secrets depends on the system PRNG (via SystemRandom, which uses /dev/urandom), which is the same interface used by pyotp. If you want to know more about the behavior and security of the system PRNG, please search for something like "is /dev/urandom secure" for an extended discussion.

I will close this PR now, since there is no practical benefit (security or otherwise) from pyotp using the secrets module - it already uses the strongest available PRNG via SystemRandom.

lightsing commented 7 years ago

Thanks for your patient explanation. Andrey Kislyuk notifications@github.com于2017年5月6日 周六00:17写道:

Closed #45 https://github.com/pyotp/pyotp/pull/45.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pyotp/pyotp/pull/45#event-1070847056, or mute the thread https://github.com/notifications/unsubscribe-auth/APNnVXDsC9Yvvzv6d6fVsjwl9aTL9rqnks5r20uVgaJpZM4NRyIZ .