CCF_100
/
python-project
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
python-project/python-3.7.4-docs-html/library/secrets.html

363 lines
24 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title>secrets — Generate secure random numbers for managing secrets &#8212; Python 3.7.4 documentation</title>
<link rel="stylesheet" href="../_static/pydoctheme.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/language_data.js"></script>
<script type="text/javascript" src="../_static/sidebar.js"></script>
<link rel="search" type="application/opensearchdescription+xml"
title="Search within Python 3.7.4 documentation"
href="../_static/opensearch.xml"/>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="next" title="Generic Operating System Services" href="allos.html" />
<link rel="prev" title="hmac — Keyed-Hashing for Message Authentication" href="hmac.html" />
<link rel="shortcut icon" type="image/png" href="../_static/py.png" />
<link rel="canonical" href="https://docs.python.org/3/library/secrets.html" />
<script type="text/javascript" src="../_static/copybutton.js"></script>
<script type="text/javascript" src="../_static/switchers.js"></script>
<style>
@media only screen {
table.full-width-table {
width: 100%;
}
}
</style>
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="allos.html" title="Generic Operating System Services"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="hmac.html" title="hmac — Keyed-Hashing for Message Authentication"
accesskey="P">previous</a> |</li>
<li><img src="../_static/py.png" alt=""
style="vertical-align: middle; margin-top: -1px"/></li>
<li><a href="https://www.python.org/">Python</a> &#187;</li>
<li>
<span class="language_switcher_placeholder">en</span>
<span class="version_switcher_placeholder">3.7.4</span>
<a href="../index.html">Documentation </a> &#187;
</li>
<li class="nav-item nav-item-1"><a href="index.html" >The Python Standard Library</a> &#187;</li>
<li class="nav-item nav-item-2"><a href="crypto.html" accesskey="U">Cryptographic Services</a> &#187;</li>
<li class="right">
<div class="inline-search" style="display: none" role="search">
<form class="inline-search" action="../search.html" method="get">
<input placeholder="Quick search" type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('.inline-search').show(0);</script>
|
</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="module-secrets">
<span id="secrets-generate-secure-random-numbers-for-managing-secrets"></span><h1><a class="reference internal" href="#module-secrets" title="secrets: Generate secure random numbers for managing secrets."><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code></a> — Generate secure random numbers for managing secrets<a class="headerlink" href="#module-secrets" title="Permalink to this headline"></a></h1>
<div class="versionadded">
<p><span class="versionmodified added">New in version 3.6.</span></p>
</div>
<p><strong>Source code:</strong> <a class="reference external" href="https://github.com/python/cpython/tree/3.7/Lib/secrets.py">Lib/secrets.py</a></p>
<hr class="docutils" />
<p>The <a class="reference internal" href="#module-secrets" title="secrets: Generate secure random numbers for managing secrets."><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code></a> module is used for generating cryptographically strong
random numbers suitable for managing data such as passwords, account
authentication, security tokens, and related secrets.</p>
<p>In particularly, <a class="reference internal" href="#module-secrets" title="secrets: Generate secure random numbers for managing secrets."><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code></a> should be used in preference to the
default pseudo-random number generator in the <a class="reference internal" href="random.html#module-random" title="random: Generate pseudo-random numbers with various common distributions."><code class="xref py py-mod docutils literal notranslate"><span class="pre">random</span></code></a> module, which
is designed for modelling and simulation, not security or cryptography.</p>
<div class="admonition seealso">
<p class="admonition-title">See also</p>
<p><span class="target" id="index-0"></span><a class="pep reference external" href="https://www.python.org/dev/peps/pep-0506"><strong>PEP 506</strong></a></p>
</div>
<div class="section" id="random-numbers">
<h2>Random numbers<a class="headerlink" href="#random-numbers" title="Permalink to this headline"></a></h2>
<p>The <a class="reference internal" href="#module-secrets" title="secrets: Generate secure random numbers for managing secrets."><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code></a> module provides access to the most secure source of
randomness that your operating system provides.</p>
<dl class="class">
<dt id="secrets.SystemRandom">
<em class="property">class </em><code class="descclassname">secrets.</code><code class="descname">SystemRandom</code><a class="headerlink" href="#secrets.SystemRandom" title="Permalink to this definition"></a></dt>
<dd><p>A class for generating random numbers using the highest-quality
sources provided by the operating system. See
<a class="reference internal" href="random.html#random.SystemRandom" title="random.SystemRandom"><code class="xref py py-class docutils literal notranslate"><span class="pre">random.SystemRandom</span></code></a> for additional details.</p>
</dd></dl>
<dl class="function">
<dt id="secrets.choice">
<code class="descclassname">secrets.</code><code class="descname">choice</code><span class="sig-paren">(</span><em>sequence</em><span class="sig-paren">)</span><a class="headerlink" href="#secrets.choice" title="Permalink to this definition"></a></dt>
<dd><p>Return a randomly-chosen element from a non-empty sequence.</p>
</dd></dl>
<dl class="function">
<dt id="secrets.randbelow">
<code class="descclassname">secrets.</code><code class="descname">randbelow</code><span class="sig-paren">(</span><em>n</em><span class="sig-paren">)</span><a class="headerlink" href="#secrets.randbelow" title="Permalink to this definition"></a></dt>
<dd><p>Return a random int in the range [0, <em>n</em>).</p>
</dd></dl>
<dl class="function">
<dt id="secrets.randbits">
<code class="descclassname">secrets.</code><code class="descname">randbits</code><span class="sig-paren">(</span><em>k</em><span class="sig-paren">)</span><a class="headerlink" href="#secrets.randbits" title="Permalink to this definition"></a></dt>
<dd><p>Return an int with <em>k</em> random bits.</p>
</dd></dl>
</div>
<div class="section" id="generating-tokens">
<h2>Generating tokens<a class="headerlink" href="#generating-tokens" title="Permalink to this headline"></a></h2>
<p>The <a class="reference internal" href="#module-secrets" title="secrets: Generate secure random numbers for managing secrets."><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code></a> module provides functions for generating secure
tokens, suitable for applications such as password resets,
hard-to-guess URLs, and similar.</p>
<dl class="function">
<dt id="secrets.token_bytes">
<code class="descclassname">secrets.</code><code class="descname">token_bytes</code><span class="sig-paren">(</span><span class="optional">[</span><em>nbytes=None</em><span class="optional">]</span><span class="sig-paren">)</span><a class="headerlink" href="#secrets.token_bytes" title="Permalink to this definition"></a></dt>
<dd><p>Return a random byte string containing <em>nbytes</em> number of bytes.
If <em>nbytes</em> is <code class="docutils literal notranslate"><span class="pre">None</span></code> or not supplied, a reasonable default is
used.</p>
<div class="highlight-pycon3 notranslate"><div class="highlight"><pre><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">token_bytes</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="go">b&#39;\xebr\x17D*t\xae\xd4\xe3S\xb6\xe2\xebP1\x8b&#39;</span>
</pre></div>
</div>
</dd></dl>
<dl class="function">
<dt id="secrets.token_hex">
<code class="descclassname">secrets.</code><code class="descname">token_hex</code><span class="sig-paren">(</span><span class="optional">[</span><em>nbytes=None</em><span class="optional">]</span><span class="sig-paren">)</span><a class="headerlink" href="#secrets.token_hex" title="Permalink to this definition"></a></dt>
<dd><p>Return a random text string, in hexadecimal. The string has <em>nbytes</em>
random bytes, each byte converted to two hex digits. If <em>nbytes</em> is
<code class="docutils literal notranslate"><span class="pre">None</span></code> or not supplied, a reasonable default is used.</p>
<div class="highlight-pycon3 notranslate"><div class="highlight"><pre><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">token_hex</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="go">&#39;f9bf78b9a18ce6d46a0cd2b0b86df9da&#39;</span>
</pre></div>
</div>
</dd></dl>
<dl class="function">
<dt id="secrets.token_urlsafe">
<code class="descclassname">secrets.</code><code class="descname">token_urlsafe</code><span class="sig-paren">(</span><span class="optional">[</span><em>nbytes=None</em><span class="optional">]</span><span class="sig-paren">)</span><a class="headerlink" href="#secrets.token_urlsafe" title="Permalink to this definition"></a></dt>
<dd><p>Return a random URL-safe text string, containing <em>nbytes</em> random
bytes. The text is Base64 encoded, so on average each byte results
in approximately 1.3 characters. If <em>nbytes</em> is <code class="docutils literal notranslate"><span class="pre">None</span></code> or not
supplied, a reasonable default is used.</p>
<div class="highlight-pycon3 notranslate"><div class="highlight"><pre><span></span><span class="gp">&gt;&gt;&gt; </span><span class="n">token_urlsafe</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span>
<span class="go">&#39;Drmhze6EPcv0fN_81Bj-nA&#39;</span>
</pre></div>
</div>
</dd></dl>
<div class="section" id="how-many-bytes-should-tokens-use">
<h3>How many bytes should tokens use?<a class="headerlink" href="#how-many-bytes-should-tokens-use" title="Permalink to this headline"></a></h3>
<p>To be secure against
<a class="reference external" href="https://en.wikipedia.org/wiki/Brute-force_attack">brute-force attacks</a>,
tokens need to have sufficient randomness. Unfortunately, what is
considered sufficient will necessarily increase as computers get more
powerful and able to make more guesses in a shorter period. As of 2015,
it is believed that 32 bytes (256 bits) of randomness is sufficient for
the typical use-case expected for the <a class="reference internal" href="#module-secrets" title="secrets: Generate secure random numbers for managing secrets."><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code></a> module.</p>
<p>For those who want to manage their own token length, you can explicitly
specify how much randomness is used for tokens by giving an <a class="reference internal" href="functions.html#int" title="int"><code class="xref py py-class docutils literal notranslate"><span class="pre">int</span></code></a>
argument to the various <code class="docutils literal notranslate"><span class="pre">token_*</span></code> functions. That argument is taken
as the number of bytes of randomness to use.</p>
<p>Otherwise, if no argument is provided, or if the argument is <code class="docutils literal notranslate"><span class="pre">None</span></code>,
the <code class="docutils literal notranslate"><span class="pre">token_*</span></code> functions will use a reasonable default instead.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>That default is subject to change at any time, including during
maintenance releases.</p>
</div>
</div>
</div>
<div class="section" id="other-functions">
<h2>Other functions<a class="headerlink" href="#other-functions" title="Permalink to this headline"></a></h2>
<dl class="function">
<dt id="secrets.compare_digest">
<code class="descclassname">secrets.</code><code class="descname">compare_digest</code><span class="sig-paren">(</span><em>a</em>, <em>b</em><span class="sig-paren">)</span><a class="headerlink" href="#secrets.compare_digest" title="Permalink to this definition"></a></dt>
<dd><p>Return <code class="docutils literal notranslate"><span class="pre">True</span></code> if strings <em>a</em> and <em>b</em> are equal, otherwise <code class="docutils literal notranslate"><span class="pre">False</span></code>,
in such a way as to reduce the risk of
<a class="reference external" href="https://codahale.com/a-lesson-in-timing-attacks/">timing attacks</a>.
See <a class="reference internal" href="hmac.html#hmac.compare_digest" title="hmac.compare_digest"><code class="xref py py-func docutils literal notranslate"><span class="pre">hmac.compare_digest()</span></code></a> for additional details.</p>
</dd></dl>
</div>
<div class="section" id="recipes-and-best-practices">
<h2>Recipes and best practices<a class="headerlink" href="#recipes-and-best-practices" title="Permalink to this headline"></a></h2>
<p>This section shows recipes and best practices for using <a class="reference internal" href="#module-secrets" title="secrets: Generate secure random numbers for managing secrets."><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code></a>
to manage a basic level of security.</p>
<p>Generate an eight-character alphanumeric password:</p>
<div class="highlight-python3 notranslate"><div class="highlight"><pre><span></span><span class="kn">import</span> <span class="nn">string</span>
<span class="n">alphabet</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span>
<span class="n">password</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">choice</span><span class="p">(</span><span class="n">alphabet</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Applications should not
<a class="reference external" href="http://cwe.mitre.org/data/definitions/257.html">store passwords in a recoverable format</a>,
whether plain text or encrypted. They should be salted and hashed
using a cryptographically-strong one-way (irreversible) hash function.</p>
</div>
<p>Generate a ten-character alphanumeric password with at least one
lowercase character, at least one uppercase character, and at least
three digits:</p>
<div class="highlight-python3 notranslate"><div class="highlight"><pre><span></span><span class="kn">import</span> <span class="nn">string</span>
<span class="n">alphabet</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span>
<span class="k">while</span> <span class="kc">True</span><span class="p">:</span>
<span class="n">password</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">choice</span><span class="p">(</span><span class="n">alphabet</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">10</span><span class="p">))</span>
<span class="k">if</span> <span class="p">(</span><span class="nb">any</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">islower</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">password</span><span class="p">)</span>
<span class="ow">and</span> <span class="nb">any</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">isupper</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">password</span><span class="p">)</span>
<span class="ow">and</span> <span class="nb">sum</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">isdigit</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">password</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">3</span><span class="p">):</span>
<span class="k">break</span>
</pre></div>
</div>
<p>Generate an <a class="reference external" href="https://xkcd.com/936/">XKCD-style passphrase</a>:</p>
<div class="highlight-python3 notranslate"><div class="highlight"><pre><span></span><span class="c1"># On standard Linux systems, use a convenient dictionary file.</span>
<span class="c1"># Other platforms may need to provide their own word-list.</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;/usr/share/dict/words&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">words</span> <span class="o">=</span> <span class="p">[</span><span class="n">word</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> <span class="k">for</span> <span class="n">word</span> <span class="ow">in</span> <span class="n">f</span><span class="p">]</span>
<span class="n">password</span> <span class="o">=</span> <span class="s1">&#39; &#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">choice</span><span class="p">(</span><span class="n">words</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">))</span>
</pre></div>
</div>
<p>Generate a hard-to-guess temporary URL containing a security token
suitable for password recovery applications:</p>
<div class="highlight-python3 notranslate"><div class="highlight"><pre><span></span><span class="n">url</span> <span class="o">=</span> <span class="s1">&#39;https://mydomain.com/reset=&#39;</span> <span class="o">+</span> <span class="n">token_urlsafe</span><span class="p">()</span>
</pre></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="../contents.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#"><code class="xref py py-mod docutils literal notranslate"><span class="pre">secrets</span></code> — Generate secure random numbers for managing secrets</a><ul>
<li><a class="reference internal" href="#random-numbers">Random numbers</a></li>
<li><a class="reference internal" href="#generating-tokens">Generating tokens</a><ul>
<li><a class="reference internal" href="#how-many-bytes-should-tokens-use">How many bytes should tokens use?</a></li>
</ul>
</li>
<li><a class="reference internal" href="#other-functions">Other functions</a></li>
<li><a class="reference internal" href="#recipes-and-best-practices">Recipes and best practices</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="hmac.html"
title="previous chapter"><code class="xref py py-mod docutils literal notranslate"><span class="pre">hmac</span></code> — Keyed-Hashing for Message Authentication</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="allos.html"
title="next chapter">Generic Operating System Services</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../bugs.html">Report a Bug</a></li>
<li>
<a href="https://github.com/python/cpython/blob/3.7/Doc/library/secrets.rst"
rel="nofollow">Show Source
</a>
</li>
</ul>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="allos.html" title="Generic Operating System Services"
>next</a> |</li>
<li class="right" >
<a href="hmac.html" title="hmac — Keyed-Hashing for Message Authentication"
>previous</a> |</li>
<li><img src="../_static/py.png" alt=""
style="vertical-align: middle; margin-top: -1px"/></li>
<li><a href="https://www.python.org/">Python</a> &#187;</li>
<li>
<span class="language_switcher_placeholder">en</span>
<span class="version_switcher_placeholder">3.7.4</span>
<a href="../index.html">Documentation </a> &#187;
</li>
<li class="nav-item nav-item-1"><a href="index.html" >The Python Standard Library</a> &#187;</li>
<li class="nav-item nav-item-2"><a href="crypto.html" >Cryptographic Services</a> &#187;</li>
<li class="right">
<div class="inline-search" style="display: none" role="search">
<form class="inline-search" action="../search.html" method="get">
<input placeholder="Quick search" type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('.inline-search').show(0);</script>
|
</li>
</ul>
</div>
<div class="footer">
&copy; <a href="../copyright.html">Copyright</a> 2001-2019, Python Software Foundation.
<br />
The Python Software Foundation is a non-profit corporation.
<a href="https://www.python.org/psf/donations/">Please donate.</a>
<br />
Last updated on Jul 13, 2019.
<a href="../bugs.html">Found a bug</a>?
<br />
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 2.0.1.
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink