Comments (6)
Hi Nick. Wow. Neat. And Hardcore!
I like the fact that it makes the entropy really easy to see, but I worry it's a bit harder to understand for non crypto experts. Not everyone knows what base-64 encoding is, and the 256 // 8
is just baffling if you don't guess that the author is trying to make the entropy explicit...
How strongly do you feel about it? I don't want to discourage one of my very rare contributors by rejecting this outright...
How are you enjoying the book anyways?
from book-tdd-web-dev-python.
From the implementation side of things, the base64 version is faster, less obscure (have a look at how .choice() is implemented and try to find out exactly how many bytes are being read from urandom to see what I mean) and less wasteful on urandom data.
In terms of readability and educating the reader about what exactly happens, I think the original version is still better.
Note that the base64 version only reads 32 bytes from urandom, whereas the choice based one reads at least 50 bytes and then throws away the top 2 bits of each byte. The base64 one has 256 ** 32 possible keys, the original one 50 ** 50 keys - several orders of magnitude more. The base64 version would need to read 36 bytes to give the same number of possibilities - which is actually better than the choice based one, since you save >=14 urandom bytes input and the key length is only 48 bytes.
Regarding the idea of os.urandom(n) returning 8 * n bits of entropy, I don't think this is true, but then the term "entropy" has too many meanings depending on who you ask anyway ;-) See e.g. http://www.2uo.de/myths-about-urandom/ for one set of views on this.
from book-tdd-web-dev-python.
Love the book, it's helping me to break some habits (YAGNI, etc :P) as well as giving me a good walk-through of the testing functionality inside of Django (which I knew was there, but never really figured out). Speaking of Django, with a look at their SECRET_KEY
generation in startproject
, it's evident where you got that snippet from ;)
To calculate bits of entropy, strength, whatever...: length * log2(n_symbols). So for a 50-length string of 50 symbols, 50 * log2(50) = 282.2 bits, versus the (arbitrarily chosen, but can also be arbitrarily rechosen) 256 bits (= 32 * log2(256) ~= 43 * log2(64)). Up it to 384 perhaps, but 256 is plenty strong nowadays.
For orders, every 3.3 bits is equivalent to a power of 10 (because log2(10) = 3.32). To convert bits to combinations, just do 2**x, but talking in bits is usually more convenient and comparable to other things.
Both methods use the same PRNG source, so there is no difference in some side-channel(?) attack that exploits the weakness of the RNG.
from book-tdd-web-dev-python.
Marc-Andre (hi!), Nick, thanks very much, this has been very good for my edumecation. Am reminded of Larry Hastings' talk on PRNGs... https://duckduckgo.com/?q=larry+hastings+random+numbers&ia=videos
Hope no-one's offended if I close this and leave the code as-is?
from book-tdd-web-dev-python.
I'm OK with it for now. I'm being kinda nit-picky, but I'd do up a PR for funsies if you'd be receptive. I'm not sure how to do so against the myriad branches...
from book-tdd-web-dev-python.
I don't really want to change the version in the book, but it's an interesting discussion -- I'll tell you what, if you want to write up a blog post about it, explaining your alternative, and writing up a bit of the discussion about pros + cons, entropy, etc, then I could link to it from the book, in a little note maybe?
Or I could just link to this PR discussion, if you're not big on blogging...
from book-tdd-web-dev-python.
Related Issues (20)
- Chapter 11: the function _update_settings of deploy_tools/fabfile.py HOT 5
- Echo "some_text" >> .gitignore includes the "" on Windows OS
- Prerequisites: Give more instructions on how/where to place geckodriver executable in system path
- In chapter_purist_unit_tests.asciidoc: AssertionError: <MagicMock name='List().owner' id='4522868128'> != <User: User object ([email protected])>
- Add next chapter link in chapter_unit_test_first_view
- asciidoctor: ERROR: book.asciidoc
- Wrong class in code snippet in chapter 23
- ch07l006 - Useless assertion HOT 2
- Page 187 (Kindle version) - Confusing shell command
- Page 226: `lists/tests/test_model.py`
- ch11l032 - Typo in the test
- ch17|023 - Replace import to enable easier migration to Django 2 HOT 1
- Outdated section | 'What to do next' -> 'Test for Graceful Degradation'
- Dive Into Python URL is wrong HOT 1
- Realy stuck on unix socket HOT 1
- Typos on server-quickstart.md
- Geckodriver Source URL incorrect HOT 1
- Quotation marks needed for "$ python -c from selenium..."? HOT 1
- early release book ~issue / geckodriver.log HOT 2
- Chapter 1: Python 3.7 and Django - "SyntaxError: Generator expression must be..." HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from book-tdd-web-dev-python.