高品质,简单的随机密码生成器 [英] High quality, simple random password generator
问题描述
我对创建一个非常简单的,高(加密)质量的随机密码生成器感兴趣.有更好的方法吗?
I'm interested in creating a very simple, high (cryptographic) quality random password generator. Is there a better way to do this?
import os, random, string
length = 13
chars = string.ascii_letters + string.digits + '!@#$%^&*()'
random.seed = (os.urandom(1024))
print ''.join(random.choice(chars) for i in range(length))
推荐答案
使用密码的困难之处在于使密码足够牢固,并且仍然能够记住它们.如果密码不是人们想记住的密码,那么它实际上不是密码.
The difficult thing with passwords is to make them strong enough and still be able to remember them. If the password is not meant to be remembered by a human being, then it is not really a password.
您使用Python的os.urandom():很好.对于任何实际目的(甚至是加密),os.urandom()的输出与真正的Alea都无法区分.然后,将其用作random中的种子,效果不佳:一个是非加密PRNG,其输出可能显示某种结构,该结构不会在统计测量工具中注册,但可能会被聪明的攻击者利用.您应该一直使用os.urandom().简单起见:选择长度为64的字母,例如字母(大写和小写),数字和两个额外的标点符号(例如"+"和"/").然后,对于每个密码字符,从os.urandom()中获取一个字节,减少模64的值(这是无偏的,因为64除以256)并将结果用作chars数组中的索引.
You use Python's os.urandom(): that's good. For any practical purpose (even cryptography), the output of os.urandom() is indistinguishable from true alea. Then you use it as seed in random, which is less good: that one is a non-cryptographic PRNG, and its output may exhibit some structure which will not register in a statistical measurement tool, but might be exploited by an intelligent attacker. You should work with os.urandom() all along. To make things simple: choose an alphabet of length 64, e.g. letters (uppercase and lowercase), digits, and two extra punctuation characters (such as '+' and '/'). Then, for each password character, get one byte from os.urandom(), reduce the value modulo 64 (this is unbiased because 64 divides 256) and use the result as index in your chars array.
使用长度为64的字母,每个字符可获得6位熵(因为2 6 = 64).因此,使用13个字符,您将获得78位的熵.这并不是在所有情况下最终都强大,但已经非常强大了(可以用数月,数十亿美元(而不仅仅是数百万美元)的预算来击败它.)
With an alphabet of length 64, you get 6 bits of entropy per character (because 26 = 64). Thus, with 13 characters, you get 78 bits of entropy. This is not ultimately strong in all cases, but already very strong (it could be defeated with a budget which will be counted in months and billions of dollars, not mere millions).
这篇关于高品质,简单的随机密码生成器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
