Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#15639 closed (needsinfo)

make_random_password in django.contrib.auth.models UserManager(models.Manager):

Reported by: anonymous Owned by: nobody
Component: Uncategorized Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

make_random_password in django.contrib.auth.models UserManager(models.Manager):

appears to use 'choice' from the python random module.

    def make_random_password(self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789'):
        "Generates a random password with the given length and given allowed_chars"
        # Note that default value of allowed_chars does not have "I" or letters
        # that look like it -- just to avoid confusion.
        from random import choice
        return ''.join([choice(allowed_chars) for i in range(length)])

I propose the following instead:

    def make_random_password(self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789'):
        "Generates a random password with the given length and given allowed_chars"
        # Note that default value of allowed_chars does not have "I" or letters
        # that look like it -- just to avoid confusion.
        from random import SystemRandom as random
        return ''.join([random().choice(allowed_chars) for i in range(length)])

Change History (4)

comment:1 Changed 6 years ago by Ramiro Morales

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Resolution: needsinfo
Status: newclosed

It's hard to consider such a proposal without a rationale. Can you explain why the proposed change would be a fix or enhancement over the current code?

comment:2 Changed 6 years ago by Russell Keith-Magee

The only reason I can think of to generate a random password would be to send it in cleartext. To which, the answer is a definitive No. Not ever.

comment:3 Changed 6 years ago by Simon Meers

I imagine the reporter's rationale was that random.SystemRandom might provide better randomisation the standard implementation. No idea whether that is the case. Russ, the method already exists in Django apparently?

comment:4 Changed 5 years ago by anonymous

@DrMeets - that is the case.

Note: See TracTickets for help on using tickets.
Back to Top