高品质,简单的随机密码生成器 [英] High quality, simple random password generator
问题描述
我对创建一个非常简单的,高(加密)质量的随机密码生成器感兴趣.有更好的方法吗?
I'm interested in creating a very simple, high (cryptographic) quality random password generator. Is there a better way to do this?
import os, random, string
length = 13
chars = string.ascii_letters + string.digits + '!@#$%^&*()'
random.seed = (os.urandom(1024))
print ''.join(random.choice(chars) for i in range(length))
推荐答案
使用密码的困难之处在于使密码足够牢固,并且仍然能够记住它们.如果密码不是人们想记住的密码,那么它实际上不是密码.
The difficult thing with passwords is to make them strong enough and still be able to remember them. If the password is not meant to be remembered by a human being, then it is not really a password.
您使用Python的os.urandom()
:很好.对于任何实际目的(甚至是加密),os.urandom()
的输出与真正的Alea都无法区分.然后,将其用作random
中的种子,效果不佳:一个是非加密PRNG,其输出可能显示某种结构,该结构不会在统计测量工具中注册,但可能会被聪明的攻击者利用.您应该一直使用os.urandom()
.简单起见:选择长度为64的字母,例如字母(大写和小写),数字和两个额外的标点符号(例如"+"和"/").然后,对于每个密码字符,从os.urandom()
中获取一个字节,减少模64的值(这是无偏的,因为64除以256)并将结果用作chars
数组中的索引.
You use Python's os.urandom()
: that's good. For any practical purpose (even cryptography), the output of os.urandom()
is indistinguishable from true alea. Then you use it as seed in random
, which is less good: that one is a non-cryptographic PRNG, and its output may exhibit some structure which will not register in a statistical measurement tool, but might be exploited by an intelligent attacker. You should work with os.urandom()
all along. To make things simple: choose an alphabet of length 64, e.g. letters (uppercase and lowercase), digits, and two extra punctuation characters (such as '+' and '/'). Then, for each password character, get one byte from os.urandom()
, reduce the value modulo 64 (this is unbiased because 64 divides 256) and use the result as index in your chars
array.
使用长度为64的字母,每个字符可获得6位熵(因为2 6 = 64).因此,使用13个字符,您将获得78位的熵.这并不是在所有情况下最终都强大,但已经非常强大了(可以用数月,数十亿美元(而不仅仅是数百万美元)的预算来击败它.)
With an alphabet of length 64, you get 6 bits of entropy per character (because 26 = 64). Thus, with 13 characters, you get 78 bits of entropy. This is not ultimately strong in all cases, but already very strong (it could be defeated with a budget which will be counted in months and billions of dollars, not mere millions).
这篇关于高品质,简单的随机密码生成器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!