make_random_password in django.contrib.auth.models UserManager(models.Manager):

[anonymous]

make_random_password in django.contrib.auth.models UserManager(models.Manager):

appears to use 'choice' from the python random module.

    def make_random_password(self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789'):
        "Generates a random password with the given length and given allowed_chars"
        # Note that default value of allowed_chars does not have "I" or letters
        # that look like it -- just to avoid confusion.
        from random import choice
        return ''.join([choice(allowed_chars) for i in range(length)])

I propose the following instead:

    def make_random_password(self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789'):
        "Generates a random password with the given length and given allowed_chars"
        # Note that default value of allowed_chars does not have "I" or letters
        # that look like it -- just to avoid confusion.
        from random import SystemRandom as random
        return ''.join([random().choice(allowed_chars) for i in range(length)])

[Ramiro Morales]

It's hard to consider such a proposal without a rationale. Can you explain why the proposed change would be a fix or enhancement over the current code?

[Russell Keith-Magee]

The only reason I can think of to generate a random password would be to send it in cleartext. To which, the answer is a definitive No. Not ever.

[Simon Meers]

I imagine the reporter's rationale was that random.SystemRandom might provide better randomisation the standard implementation. No idea whether that is the case. Russ, the method already exists in Django apparently?

[anonymous]

@DrMeets - that is the case.