darth_mall Posted July 5, 2015 Share Posted July 5, 2015 (edited) Edit by deanishe: This workflow does not use a good source of random data. It does not generate secure passwords in its current state (see post below for reasons). A workflow for generating passwords using diceware and either Python's pseudo-random number generator or the random.org API (more secure). See the README for more information. Download the workflow here. Source available on GitHub. Edited February 9, 2016 by deanishe Added warning about lacking randomness Link to comment
deanishe Posted February 9, 2016 Share Posted February 9, 2016 (edited) Just stumbled across this. Two observations: random.org is not more secure. It may be in theory, but using a web service as a source of entropy is a terrible idea. It is relatively easy to subvert a webservice with versions of Python before 2.7.9, which do not verify SSL certificates. This means every pre-Yosemite OS X release. A web service is only acceptable as a source of entropy if you XOR the data with existing random data. Python's random module is not suitable for crypto purposes, i.e. generating passwords. It says so very clearly in the Python docs. As it also states there, use SystemRandom or os.urandom() for cryptographic purposes. I've added a note to your post to reflect the fact that these passwords are not secure. Please fix the issue. Edited February 9, 2016 by deanishe Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now