我可以使用 python 的 random 模块制作一个安全的基于“纯函数”的密码生成器吗?
[英]Can I make a secure “pure function” based password generator using python's random module?
问题描述
So I was looking for ways of managing my passwords without using a server-based password manager like LastPass and I came across https://lesspass.com .
所以我一直在寻找不使用基于服务器的密码管理器(如 LastPass)来管理我的密码的方法,我遇到了https://lesspass.com 。 According to the website, this tool creates the same password for the given master password, username and website.根据该网站,该工具为给定的主密码、用户名和网站创建相同的密码。 I really liked the idea and decided to make my own proof of concept in python using the random module.我真的很喜欢这个想法,并决定使用 random 模块在 python 中制作自己的概念证明。 I made this simple function:我做了这个简单的 function:
import random
import string
import os
MASTER_PASS=os.environ.get('MASTER_PASS')
def generate(platform, user, length):
random.seed(platform+user+MASTER_PASS)
letters=string.ascii_letters +string.digits + string.punctuation
password=""
for i in range(length):
password+=random.choice(letters)
print(password)
generate("facebook", "xyz.abc", 32)
I think this should be secure enough as long as nobody knows my MASTER_PASSWORD but I cannot shake the feeling that this is somehow stupidly unsafe.我认为只要没有人知道我的 MASTER_PASSWORD 就应该足够安全,但我无法摆脱这种愚蠢不安全的感觉。 Can anyone point out the glaring flaws in this approach and suggest some ways to improve the robustness?谁能指出这种方法的明显缺陷并提出一些提高鲁棒性的方法?
EDIT:编辑:
I think some clarification is needed on my part.我认为我需要做一些澄清。 I want to make a program where I can input my platform name, username and master password to generate a password.我想制作一个程序,我可以在其中输入我的平台名称、用户名和主密码来生成密码。 Also, it is imperative that I get the same password whenever I input the same combination.此外,每当我输入相同的组合时,我必须获得相同的密码。 I am essentially trying to create a vault-less password manager that does not rely on any servers to store my passwords.我实际上是在尝试创建一个不依赖任何服务器来存储我的密码的无保险库密码管理器。
1 个解决方案
解决方案1
2 2020-04-28 11:48:14
The random module is not cryptographically safe. random模块不是密码安全的。 You should use the secrets module instead.您应该改用secrets模块。
In particular, secrets should be used in preference to the default pseudo-random number generator in the random module, which is designed for modelling and simulation, not security or cryptography.
The API is identical, so your code will work. API 是相同的,因此您的代码可以工作。
As far as the approach is concerned, this is pretty much how other password generators work.就方法而言,这几乎就是其他密码生成器的工作方式。 Just keep in mind how much entropy is actually in the password (depends on length & the total size of letters ).请记住密码中实际包含多少熵(取决于length和letters的总大小)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.