Security tokens are everywhere—authentication systems, API keys, session IDs, and cryptographic workflows. But generating truly unpredictable tokens is harder than most developers think.
In this article, I’ll walk you through how I built a high-entropy, multi-source token generator using Python.
It combines:
✅ Webcam entropy
✅ Microphone entropy
✅ System randomness
✅ CSPRNG (secrets)
✅ os.urandom()
✅ HMAC-SHA256
✅ A secret pepper (stored in environment variables)
The goal: Make tokens as unpredictable and tamper-resistant as possible.
🚀 Why Multi-Source Entropy?
Tokens generated only with random() (or any weak RNG) are predictable.
Even secrets.token_hex()—while secure—is still based on a single entropy source.
So I decided to stack entropy from multiple hardware and software sources:
Microphone noise
Webcam pixel randomness
CPU load
High-resolution timers
OS randomness
CSPRNG randomness
Mixing them together gives an attacker nothing stable to model or predict.
import os
import time
import hmac
import sounddevice as sd
import cv2
from hashlib import sha256
import secrets
import subprocess
from colored import stylize, fg
from dotenv import load_dotenv
load_dotenv()
PEPPER = os.getenv('PEPPER')
def camera_entropy():
try:
cam = cv2.VideoCapture(0)
if not cam.isOpened():
return b''
# Capture a single frame
ret, frame = cam.read()
cam.release()
if not ret:
return b''
# Convert frame (numpy array) to bytes
return frame.tobytes()
except:
return b''
def microphone_entropy():
try:
sample_rate = 44100
duration = 1
rec = sd.rec(
int(sample_rate * duration),
samplerate=sample_rate,
channels=1,
dtype='int16'
)
sd.wait()
return rec.tobytes()
except:
return b''
def system_entropy():
try:
cpu_load = subprocess.getoutput("wmic cpu get loadpercentage")
except:
cpu_load = "0"
data = f"{cpu_load}{os.times()}{os.getenv('PROCESSOR_IDENTIFIER')}{time.perf_counter_ns()}"
return data.encode()
def extra_entropy():
mic = microphone_entropy()
cam = camera_entropy()
sys_info = system_entropy()
timer = str(time.time_ns()).encode()
os_rand = os.urandom(64)
mix = mic + cam + sys_info + timer + os_rand
return sha256(mix).digest()
def generate_token():
# Mix CSPRNG + all entropy sources
mix = str(secrets.token_bytes(32) + extra_entropy())
hc = hmac.new(PEPPER.encode(), mix.encode(), digestmod=sha256).hexdigest()
return hc
while True:
print(stylize(f"Secure Token: {generate_token()}", fg(40)))
🧠 How It Works
🎤 1. Microphone Noise
Microphone audio is full of unpredictable static and background variation.
We record 1 second of raw audio and convert it to bytes.
📷 2. Camera Frame Entropy
A single webcam frame contains millions of pixel values.
Even tiny changes (light, movement, noise) create strong randomness.
🖥️ 3. System-Level Entropy
We add:
CPU load
OS timestamps
CPU model ID
High-precision timers (perf_counter_ns())
These are continuously changing values.
🔒 4. OS Randomness
os.urandom(64) gives cryptographically secure bytes from the OS entropy pool.
🔐 5. Secrets Generator
secrets.token_bytes(32) adds a strong CSPRNG value to the mix.
🧂 6. Pepper + HMAC
We finish with:
hmac.new(PEPPER.encode(), mix.encode(), sha256).hexdigest()
The PEPPER is a secret stored outside the code in .env.
Even if an attacker gets the script, they cannot reproduce or modify tokens without the pepper.
🔥 Why This Is Extremely Secure
This generator combines:
hardware noise
OS randomness
cryptographic RNG
realtime system variability
HMAC integrity
an external secret pepper
Each layer strengthens the previous one.
Even if someone tries to model one entropy source, they can’t model all of them at once.
⚠ A Note About Pepper Security
If you lose your PEPPER, you cannot verify tokens anymore.
It should be stored in:
.env
a secrets manager
environment variables
or encrypted storage
Never commit it to GitHub.
🧩 Possible Improvements
If you want to go even further:
Add disk I/O randomness
Hash multiple webcam frames
Add keyboard/mouse timing noise
Mix in network latency jitter
Use HKDF to derive multiple tokens
🏁 Final Thoughts
Cryptographic security is not about adding “a little randomness.”
It’s about combining unpredictable, independent sources that make attacks impossible.
This project is a fun—and powerful—example of how to push entropy to the next level.
Top comments (0)