mardi 28 avril 2020

Can I make a secure "pure function" based password generator using python's random module?

So I was looking for ways of managing my passwords without using a server-based password manager like LastPass and I came across https://lesspass.com. According to the website, this tool creates the same password for the given master password, username and website. I really liked the idea and decided to make my own proof of concept in python using the random module. I made this simple function:

    import random
    import string
    import os


    MASTER_PASS=os.environ.get('MASTER_PASS')


    def generate(platform, user, length):
        random.seed(platform+user+MASTER_PASS)
        letters=string.ascii_letters +string.digits + string.punctuation
        password=""
        for i in range(length):
            password+=random.choice(letters)
        print(password)



    generate("facebook", "xyz.abc", 32)

I think this should be secure enough as long as nobody knows my MASTER_PASSWORD but I cannot shake the feeling that this is somehow stupidly unsafe. Can anyone point out the glaring flaws in this approach and suggest some ways to improve the robustness?




Aucun commentaire:

Enregistrer un commentaire