Use cryptographically secure random source for password generation

Open daurnimator opened this issue 4 years ago • 3 comments

Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.

Severity: Low
Confidence: High
Location: mtls/mtls.py:448
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random

447	        for c in range(10):
448	            pw.append(random.choice(wordList))
449	        return " ".join(pw).rstrip()

Jul 05 '21 13:07 daurnimator

Thanks for the notice!

It looks like Python 3.6 now supports "secure" random number generation and we wouldn't have to use cryptography (which isn't actually a big deal since we already use it).

If you'd like to make a PR for this it's definitely welcome or I can look into fixing this sometime this week.

Aug 23 '21 04:08 drGrove

Hi, wouldn't something like random.SystemRandom().choice() work?

Mar 25 '23 09:03 nocturn9x