commonplace
  • Commonplace
  • AWS
    • Control Tower
      • Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
    • Talks / Articles
      • Encrypting Everything with AWS (SEP402)
      • The Tension Between Absolutes & Ambiguity in Security (SEC310)
      • Best practices for authoring AWS CloudFormation (DOP302-R1)
    • Useful Links
    • Notes
      • awscli
      • Cloudformation
        • Using Parameters
  • Infrastructure Security
    • Amazon Web Services
      • Tools
    • Tools
  • Security
    • Articles
      • If You're Not Doing Continuous Asset Management You're Not Doing Security | Daniel Miessler
      • Living Off the Land
        • Living Off The Land: Part 2
    • Cryptography
      • Shamir Secret Sharing Algorithm
    • Distros
      • REMnux
    • DoD
    • Email
    • GPG
    • Shodan
    • SSH
  • Resources
    • AWS Toolbox
    • CTF
      • AWS
    • Dev Setup
      • Windows Terminal
    • Documentation
      • MOCK Press Release Template
      • Design Document Template
    • Docker
      • Notes
      • Configure Docker w/TLS for WSL
    • Kubernetes
      • Raspberry Pi 4 (4GB) Cluster
    • Linux
      • zsh config
      • Users and Groups
    • Python
      • AWS
        • Lambda
      • Random Strings
    • Security News
    • Tools
    • Unity SSDLC
    • vscode
      • Cloudformation
    • Windows
      • WSL2
        • Scratchpad
        • Install a GUI (xfce)
        • Creating Additional WSL2 Instances
    • Youtubers
      • youtube-dl snippets
  • Lab
    • Building a Better Workstation
      • Notes / Guide
  • Misc
    • Notes
      • youtube-dl
  • Recipes
Powered by GitBook
On this page

Was this helpful?

  1. Resources
  2. Python

Random Strings

For secrets and other useful things

PreviousLambdaNextSecurity News

Last updated 5 years ago

Was this helpful?

Do Not Do This: This Stack Overflow question is the current top Google result for "random string Python". The current top answer is "wrong." 

''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(N))

This is an excellent method, but the in random is not cryptographically secure. I assume many people researching this question will want to generate random strings for encryption or passwords. You can do this securely by making a small change in the above code:

''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(N))

Using random.SystemRandom() instead of just random uses /dev/urandom on *nix machines and CryptGenRandom() in Windows. These are cryptographically secure PRNGs. Using random.choice instead of random.SystemRandom().choice in an application that requires a secure PRNG could be potentially devastating, and given the popularity of this question, I bet that mistake has been made many times already.

If you're using python3.6 or above, you can use the new module as mentioned in :

''.join(secrets.choice(string.ascii_uppercase + string.digits) for _ in range(N))

The module docs also discuss convenient ways to and .

PRNG
secrets
MSeifert's answer
generate secure tokens
best practices