DEV Community

Vaarun Sinha
Vaarun Sinha

Posted on • Edited on

Why you should never use random module for generating passwords.

Why Random Numbers Are Not Random?

The Random Numbers come from a particular seed number which is usually the system clock.Run the program below to understand the security risk.

The Python Documentation also has a warning about the same: "The pseudo-random generators of this module should not be used for security purposes."

So all the password generators you have built using random module are not secure!? So How do we generate cryptographically secure numbers/passwords?

But there is another line after that warning:
"For security or cryptographic uses, see the secrets module."

What is this secrets module?

The secrets module is used for generating cryptographically strong random numbers suitable for managing data such as passwords, account authentication, security tokens, and related secrets.

How it is different from the random module?

I found a really good post on reddit from which you can understand what is the difference between these two modules.

The Post says:

"with random your numbers come from some seed number, usually based on the system clock, which generates pseudo-random numbers. That means that if you get guess the seed, you can generate the same sequence of numbers. If you used pseudorandomly generated numbers as salts for all your passwords, then brute forcing the keys would become trivial.
true random numbers come from "high entropy" seeds, meaning it's not just some number you can guess, it's things that are impossible to reproduce algorithmically. Imagine things like keyboard inputs, time between keystrokes, mouse movements, cpu usage, number of programs running, etc. It might not use those exactly, but you can see how the numbers it generates from those sources are literally impossible to reproduce which is why you want to use those ones as your encryption keys and salts."

And another post says:

"It's more secure because it's less predictable. The random module uses an algorithm that's fast but it's possible to calculate what the next random number will be. That's fine for randomly placing things on the screen or something but for generating passwords it's important that the number is not predictable."

So basically it makes the seed really hard to guess( less predictable)

Reddit Post 1: https://www.reddit.com/r/learnpython/comments/7w8w6y/comment/dtyg7wd/?utm_source=share&utm_medium=web2x&context=3

Reddit Post 2:
https://www.reddit.com/r/learnpython/comments/7w8w6y/comment/dtyi6z8/?utm_source=share&utm_medium=web2x&context=3

Stay tuned for the next blog where we make a password generator which generates cryptographically strong passwords.

Happy Coding

Top comments (4)

Collapse
 
jonrandy profile image
Jon Randy 🎖️

true random numbers come from "high entropy" seeds

This statement is funny - it contradicts itself. If something were truly random - it would be dependent upon nothing. True randomness is a concept, not a reality

Collapse
 
vaarun_sinha profile image
Vaarun Sinha

Yeah, that is correct true randomness is nearly impossible. But because of high entropy seeds, the random numbers generated by the secrets module are less predictable than the numbers generated by the random module.

I quoted the reddit post that I also linked up in last.
Thanks for taking time to read the article.

Collapse
 
vaarun_sinha profile image
Vaarun Sinha

Feedback is highly appreciated, if you find any problem/mistakes (which is unlikely) then please comment the problem and I will fix it.

Hope you learnt something valuable today.

Hope You Have A Nice Day Ahead!

Happy Coding!

Collapse
 
vaarun_sinha profile image
Vaarun Sinha

The Password Generator Blog is Now Live!