The FULL Guide To Secrets (Module) For Python Developers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to be covering a very important topic in Python and that is the secrets module why is there a Secrets module and why can't we do everything with random well the simple answer is that random is not cryptographically secure so this is a terrible choice if you are generating passwords or tokens it just gives the hacker a lot more leeway to actually guess what you're trying to do since it was designed for modeling and simulation not security and cryptography if you want to generate secure information such as tokens or account authentication or passwords you're going to want to use the secrets module and this is what we're going to be covering in this video I'm going to be showing you how you can use it and the methods that come with it so first of all let's get rid of random and just import secrets and the first method I'm going to be showing you is how we can generate a random number using secrets and not random and the syntax is quite similar if you want to get a random number you can create a variable for example and say Secrets dot random below and it's going to require you to insert an upper bound which means if we put 100 it's going to generate numbers from 0 to 100 and we can verify this by printing the random number so here we can just run the program and we'll get 63 as an output then 83 then 52 then 40 and so on so if you're doing something that requires passwords or account authentication or something else that has to be secure make sure you use this Secrets method because this is cryptographically secure as opposed to using the random module so that's the first method you should be aware of the next one is the choice method so we're going to actually call this one random choice and that's going to equal Secrets dot choice and this takes a sequence so you can insert a list of elements you can say one two three four five and I will format that and when you run this it's going to return to us nothing because I didn't print anything but if we do print something it's going to return to us one of the elements each time at random so you can run this as many times and it's always going to return one element inside here in a cryptographically secure fashion at a time one place you can see this being used in the documentation is to generate a password for example here's a function that's called generate password it takes a length of type integer then we have the characters that we want to use which I imported from the string module so we're going to import string ashy letters string digits and string punctuation then we have the password the actual password that we want to generate and we're just going to use the dot join method to put each one of these choices from the characters for the range of the length so if we insert a length of 10 it's going to pick 10 random characters and ashy letters and digits and punctuation and you can actually test this out by typing you can generate password and adding let's say six and this will give us a secure password using a cryptographically secure algorithm provided by Secrets but let's go back to the basics and get rid of string so next I want to show you how you can generate a random number using bits so here we have random and we're going to type in secrets.random bits so this will allow you to generate numbers according to a certain bit size so for example you can generate numbers that are up to 16 bits by providing 16 here now if you print the random you'll print numbers that are random from 0 to 16 bits and as you can see it's just going to keep on printing nice numbers and we can actually change that to 8 if we want and it will still work the same way as many times as we run it and this can be any number you want it can even be zero but that defeats the purpose because a zero bit number is just going to return zero but that's up to you I'm not going to stop you with your creative flow up next we have tokens how can we generate tokens with secrets and what kind of tokens Can we generate so we're just going to call this token and we're going to use secrets and the first token we're going to generate is going to be token bytes which takes a number of bytes as an argument so if we pass in 32 it's going to use 32 bytes of randomosity I don't know if that's a word but I'm just going to use it so 32 bytes of Randomness or randomosity to generate this token and if you print this token now you're going to get a byte token generated with 32 bytes of randomosity I guess I'll just change that to Randomness that makes more sense in my head do let me know in the comment section down below if random or city is a word or if it should be a word so that's how you can generate a byte token and the same thing goes for hex tokens if you need a hex token just use the dot token underscore hex method and it will generate for you a hex token and you can run that as many times as you want I believe right now as of python 3.11 and of this current implementation the default is in fact 32 bytes so you don't have to pass in 32 if you don't want to but I do need to mention that that's bound to change as technology progresses and that's actually something very important to mention and I'm going to show you the docs for this part because the docs explain it much better than I can but there is a section in the secrets module section that says how many bytes should tokens use and to be secure against Brute Force attacks tokens need to have a sufficient amount of Randomness and that makes sense because if you don't have enough Randomness it's going to be very easy to guess unfortunately what is considered sufficient will necessarily increase as computers get more powerful and are able to make more guesses in a shorter period of time as of 2015 It is believed that 32 bytes or 256 bits of Randomness is sufficient for the typical use case expected for the secrets module the important part to note is the note and it just says that the default is subject to change at any time including during maintenance releases and that again is because as time goes on computers are getting more and more powerful which means what was working yesterday won't be secure today that's just how technology works but if you are a website please stop forcing me to use an uppercase letter because those are the only passwords I can never remember but I guess if I can't log into my account what chance do other people have but next I want to show you one of the methods that I really like because it's straightforward and simple and that's usually what I really love to see in Python and this is the token URL save method and you can still put as many bytes as you want inside there we might just do 16 to keep it short here and what this is going to generate is a token that is good for your URLs maybe you have an authentication page or maybe you have a password reset page and you need to give the user a temporary link usually you'll see something like this at the end of the website and we can just do for example www dot website.com slash authenticate slash and inside here we're going to pass in the token and we need to format that so now when we run this it's going to look a lot more like something that you're used to seeing on the internet you're going to have a token at the end and the bigger this token is in general the harder it is to guess for those Brute Force website crawlers which is something you might want for your website so I thought this was a really cool method because it's simple and it tells you exactly what it's doing right away now there's one more method I want to show you that has to do with comparing passwords and this is a great alternative to what you're probably doing if you are new to python so for example here we have some user input which is going to be abc123 and the password we want to check against is ABC 123 so one simple way to check this would be to do if user input is equal to password then you should log the user in so say you are now logged in and if you run this it's going to print the message because the password is equal to the user input if we change the password it's not going to show anything of course now there's a lot wrong with this when it comes to cyber security this is not a video that's going to mention how you should hash your passwords or how you should salt and pepper them this is not a video about that so of course you will never want to store your passwords in a recoverable format such as this and preferably you would want to Hash them but even if you hash your passwords and you use this comparison operator that's a huge mistake because it makes your program vulnerable to timing attacks and to sum up what a timing attack is in a nutshell essentially every time you make a request to a server it takes a certain amount of time to give you a response with timing attacks you can kind of use that response time to kind of figure out what kind of information is correct and what kind of information is wrong when you are brute forcing something so to sum that up this is vulnerable to timing attacks and we do not want that in our program so Secrets does have a better method for that and to use it we just have to type in secrets and we need to use compare Digest and here we can pass in the user input and pass in the password this method is used to compare byte-like objects or strings and it does it at a constant speed so it helps us reduce the risk of those timing attacks and this is much more cryptographically secure than using IF else it still returns true or false just like using the comparison operator but this time we have some more security when we are doing that now theoretically with this since it does throw an error if they are of different lengths and if there are different types it might still give you that vulnerability of taking some more processing time so the hacker might easily be able to learn how long your password is and whether this is of type string or of type integer the hacker might be able to learn about that but theoretically that's all they can learn about so that's just as useful as saying hey my password is 100 characters and it's of type string good luck try to crack it so that's still quite cryptographically secure now the final point I want to cover with Secrets is that it does have a class which you can instantiate which helps with generating random numbers using the highest quality resources provided by the operating system so to use it you just need to create an instance and we're just going to call it Sr for system random and that's going to equal secrets.systemrandom now when you want to refer to system random you can type in Sr and it's going to give you a lot of methods that can be used for generating random numbers or picking from random numbers and so on and it's going to use the highest quality resources from your operating system now from that description I can't guarantee you that all of these are going to be cryptographically secure but all I can say is that it's going to try its best to use the highest quality sources that your computer has to perform these operations but with all that being said that's actually all I wanted to cover in today's lesson so do let me know in the comment section down below whether you found this video interesting whether you're already using Secrets what you use it for or if you have some added information that you would like to share regarding the secrets module but with all that being said as always thanks for watching and I'll see you in the next video this was actually the second time I recorded this video because I read the documentation wrong the first time and there's just no recovering from recording a video with the wrong information I can't edit that so I actually had to redo this video and I'm really tired I just had lunch so I'm gonna go take a nap what did you have for lunch
Info
Channel: Indently
Views: 7,958
Rating: undefined out of 5
Keywords: pyton, pyhton, pythn
Id: xVUjZGlqNFQ
Channel Id: undefined
Length: 11min 45sec (705 seconds)
Published: Wed Mar 01 2023
Related Videos
If __name__ == '__main__' for Python Beginners
Indently
6K
How To SCHEDULE Functions & Tasks In Python (FULL GUIDE)
Indently
10K
Memoization: The TRUE Way To Optimize Your Code In Python
Indently
58K
WHAT Is "Glob" In Python?! (It's Actually Very Useful!)
Indently
19K
Sending SMS using Python | Twilio | Tamil | Learn with Esprit
Learn with Esprit
431
HOW You Should Be Using ASSERT In Python To Catch ERRORS
Indently
7.9K
The BIGGEST Misconception About Type Hints In Python Explained
Indently
19K
WHAT Is "Pickle" In Python?! (EXTREMELY Useful!)
Indently
33K
Can You SAVE On MEMORY USAGE When Importing In Python?
Indently
6.4K
"Stop Printing, Start Logging!" (Logging Tutorial For Python Developers)
Indently
14K
AVOID Making "THIS Stupid Mistake" In Python (It's bad)
Indently
9.5K
How To Use: "@dataclass" In Python (Tutorial 2023)
Indently
5.9K
HOW TO USE DECORATORS IN PYTHON 2022 (THE RIGHT WAY)
Indently
34K
+10 CRAZY Ways To FORMAT Text In Python with F-Strings
Indently
12K
6 CLEAN Tips To IMPROVE Your Python Functions
Indently
21K
10 Ways You Can Use "_" In Python (Do you know ALL of them?)
Indently
5.7K
Class Methods, Static Methods, & Instance Methods EXPLAINED in Python
Indently
11K
Python dataclasses will save you HOURS, also featuring attrs
mCoding
674K
How To Create Your Very First API With FastAPI In Python Tutorial 2023
Indently
15K
Lazy Imports: The Key To Optimizing Python Script Performance?
Indently
8.5K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.