Why you should never use random module for generating passwords.
Vaarun Sinha
Posted on November 4, 2021
Why Random Numbers Are Not Random?
The Random Numbers come from a particular seed number which is usually the system clock.Run the program below to understand the security risk.
The Python Documentation also has a warning about the same: "The pseudo-random generators of this module should not be used for security purposes."
So all the password generators you have built using random module are not secure!? So How do we generate cryptographically secure numbers/passwords?
But there is another line after that warning:
"For security or cryptographic uses, see the secrets module."
What is this secrets module?
The secrets module is used for generating cryptographically strong random numbers suitable for managing data such as passwords, account authentication, security tokens, and related secrets.
How it is different from the random module?
I found a really good post on reddit from which you can understand what is the difference between these two modules.
The Post says:
"with random your numbers come from some seed number, usually based on the system clock, which generates pseudo-random numbers. That means that if you get guess the seed, you can generate the same sequence of numbers. If you used pseudorandomly generated numbers as salts for all your passwords, then brute forcing the keys would become trivial.
true random numbers come from "high entropy" seeds, meaning it's not just some number you can guess, it's things that are impossible to reproduce algorithmically. Imagine things like keyboard inputs, time between keystrokes, mouse movements, cpu usage, number of programs running, etc. It might not use those exactly, but you can see how the numbers it generates from those sources are literally impossible to reproduce which is why you want to use those ones as your encryption keys and salts."
And another post says:
"It's more secure because it's less predictable. The random module uses an algorithm that's fast but it's possible to calculate what the next random number will be. That's fine for randomly placing things on the screen or something but for generating passwords it's important that the number is not predictable."
So basically it makes the seed really hard to guess( less predictable)
Reddit Post 1: https://www.reddit.com/r/learnpython/comments/7w8w6y/comment/dtyg7wd/?utm_source=share&utm_medium=web2x&context=3
Reddit Post 2:
https://www.reddit.com/r/learnpython/comments/7w8w6y/comment/dtyi6z8/?utm_source=share&utm_medium=web2x&context=3
Stay tuned for the next blog where we make a password generator which generates cryptographically strong passwords.
Happy Coding
Posted on November 4, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.