You found it first ⚡ 50% off any plan for 6 months, exclusive to new subscribers for a limited time only.

Join the Treehouse affiliate program and earn 25% recurring commission!

✨ Earn college credits in Cybersecurity, JS, HTML, CSS and Python

🌟 Dreaming of a bright future? 🎓 Ask about the Treehouse Scholarship program! 🚀

Well done!

You have completed What's New in Python 3.6?!

Sign up for Treehouse Back to Library

Preview

Sign up for Treehouse

Secrets

3:49 with Kenneth Love

Last, but not least, Python has a new module `secrets`. This module has handy tools for generating cryptographically strong random numbers and tokens.

Teacher's Notes
Questions?
Video Transcript
Downloads
Workspaces

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

One of the bigger changes that came to 3.6, is the new secrets module. 0:00

This module provides handy tools for generating random numbers, tokens, and 0:04

other security related data. 0:08

Let me show you quickly how to use some of these new features, and 0:09

I'm gonna start by importing secrets. 0:12

The first useful thing in the secrets module, is the ability to generate 0:14

cryptographically strong, random numbers and tokens. 0:17

You would use these numbers and tokens for generating encrypted messages, 0:20

passwords, and even further tokens. 0:23

Now, why not use the random module? 0:26

Well, random is meant for modeling in every day usage like in games, not for 0:28

security implementations. 0:32

To get a random number though, from the secrets module, 0:34

you'll generally use one of two functions, randbelow and randbits. 0:37

randbelow, as you can probably guess, 0:42

gives you a random number below some other number. 0:44

It's similar to random Rand range function but again it's meant for 0:48

use in cryptographic scenarios. 0:52

Probably more often though you're going to want a random number 0:54

of a given number of bits, so of a given size. 0:57

If you're generating keys for instance, 1:00

it's really recommended to have a seed of at least 32 bytes which would be 256 bits. 1:02

So randbits, and then we pass in the number of bits which we want 256 of them, 1:07

and we get a number like that. 1:12

Now that 256 is for current security recommendations. 1:15

That number is only going to go up a CPUs use and GPUs become more powerful, and 1:20

brute forcing operations get easier to use. 1:24

There are three different functions for generating tokens and 1:28

each of them taken number of tokens to use in the generation of that token. 1:30

Well, let's get a 256 bit token, so 32 bytes. 1:34

We can get bytes, hexadecimal or a token that would be URL friendly. 1:39

Let's try the hex in URL versions. 1:43

So secrets.token_hex, and we pass in the number of bytes and 1:44

secrets.url or token URL safe and also the number of bytes 32. 1:50

So those are both handy little tokens that we could use. 1:56

Not a lot of difference between these two like they're both the same kind of range 2:00

of characters. 2:03

But still a good idea to use the URL safe method when you know your token is going 2:04

to travel across the wire in a URL. 2:08

Now we can use these tokens or tokens like them to encode a message, and 2:09

then use the secrets module to make sure the message hasn't been tampered with. 2:13

So I'm gonna import hmac, so 2:17

that I can generate a cryptographically secure message. 2:19

And then I'm going to a new token, and this time I'm going to use the token bytes 2:23

because hmac expects a bytes string for the key. 2:28

And again I want to be 32 bytes. 2:33

If I look at token, it's a bunch of bytes, and let's make msg1 = hmac.new, 2:35

and we're going to use that token to encrypt it. 2:42

And we have to give a message here, so I'm just gonna say 'Hi there'. 2:45

And the message needs to be bytes as well. 2:50

So now, let's be sneaky, and we'll do msg1.copy and make a copy of that message. 2:52

And then we'll do msg2.update 2:58

'Sneaky sneaky', and we'll add a new message to it. 3:04

So now I can use secrets.compare_digest. 3:08

And I can compare msg1.digest to msg1.digest, 3:12

and I get that that's true. 3:18

Because it is, it's the exact same message that message has not changed. 3:21

But if I compare msg1's digest to msg2's digest, I get false, since I tampered with 3:25

the message by adding more data to it, the comparison fails for the second one. 3:31

I'm sure the secrets module is going to get even more handy functions in 3:34

the future so be sure to keep your eyes on it. 3:37

There's lots more to explore in this update to Python. 3:40

I've linked to the release notes in the teacher's notes. 3:43

And you should go check out the related peps and documentation for 3:45

these new features. 3:47

I'll see you next time. 3:48

You need to sign up for Treehouse in order to download course files.

Sign up

You need to sign up for Treehouse in order to set up Workspace

Sign up