Perhaps times have changed but I forgot to mention that 8 years ago Malcolm rejected the idea that more randomness is required in the secret key. From the reporter of #9687:
"The generation of the SECRET_KEY setting for a new site uses an artificially low number of characters due to a design accident. As far as I can see, SECRET_KEY is not used in a way which would make it case-sensitive or require it to be read out, but instead is used in MD5 hashes where more randomness is preferred." Malcolm: "You don't explain what the "design accident" might be. If you are referring to the particular choice of characters, that is hardly an accident. The question isn't whether the string is as random as possible (your alternative doesn't meet that requirement either), it's whether it's sufficiently random as to be effectively unguessable. The current code has 5050 different strings (around 1085) that are possible and the choices are statistically uniformly distributed over that space. Your are proposing to extend the range of characters, but that doesn't change much. Since the chance of guessing the secret key string for a particular site is already unlikely (a billion guesses per second will take 1068 years), the key weakness is the PRNG being used to gerneated the choices and that security isn't improved by increased the range of characters (if you can accurately determine the state at the start of the string, you can still determine the whole string, regardless of the number of characters used). At some point here, we just have to make a choice. Why not use more characters than your range? Why not switch to 150 characters in the secret, etc? If you want to use a longer secret key in your projects, that's certainly going to be possible, since it's just a string and you can create it however you like. The one that Django generates isn't inherently insecure, though." https://code.djangoproject.com/ticket/9687 On Thursday, December 22, 2016 at 3:18:52 PM UTC-5, Ryan Hiebert wrote: > > > > On Dec 22, 2016, at 1:41 PM, Tim Graham <timog...@gmail.com > <javascript:>> wrote: > > > > There's debate in #24994 about whether or not settings.SECRET_KEY should > or may be a bytestring. Some select quotes to summarize the discussion: > > > > [snip] > > > > I hope we can come to a decision and at least clarify the documentation. > Perhaps deferring a code change (if any) until Django 2.0 so that only > Python 3 is a consideration would help. > > > > https://code.djangoproject.com/ticket/24994 > > https://code.djangoproject.com/ticket/19980 > > It seems to me that whatever option is chosen, it should support some > mechanism that all provided bytes be random. In the case of using > ascii-only bytes, this is not the case. With that goal in mind, I think > there are, at least in principle, two choices, and the correct one depends > on what is a more important priority. > > If its more important to transparently have the right data type, then we > should use bytes. This may mean that we prefer to generate bytes that are > not fully random (top bits are always 0, etc) so that we can avoid escape > sequences. > > If we'd rather ensure that all of the bits we generate both avoid escape > sequences and provide all of their own bytes randomly, then we'll need to > have settings.SECRET_KEY be an encoded bytes, perhaps base64. In that case, > it likely doesn't matter whether it's a string or a bytes, as > base64.b64decode permits either. > > I suspect making SECRET_KEY encoded with something like base64 is likely a > non-starter due to backward compatibility, so that means to me that using > bytes would be preferable. > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/ed86e829-154d-4a12-b4ff-a71940b5317d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
