Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

What's New in Python 3.6?

Well done!

You have completed What's New in Python 3.6?!

Sign up for Treehouse Back to Library

Secrets

3:49 with Kenneth Love

Last, but not least, Python has a new module `secrets`. This module has handy tools for generating cryptographically strong random numbers and tokens.

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    One of the bigger changes that came to 3.6, is the new secrets module. 0:00
    This module provides handy tools for generating random numbers, tokens, and 0:04
    other security related data. 0:08
    Let me show you quickly how to use some of these new features, and 0:09
    I'm gonna start by importing secrets. 0:12
    The first useful thing in the secrets module, is the ability to generate 0:14
    cryptographically strong, random numbers and tokens. 0:17
    You would use these numbers and tokens for generating encrypted messages, 0:20
    passwords, and even further tokens. 0:23
    Now, why not use the random module? 0:26
    Well, random is meant for modeling in every day usage like in games, not for 0:28
    security implementations. 0:32
    To get a random number though, from the secrets module, 0:34
    you'll generally use one of two functions, randbelow and randbits. 0:37
    randbelow, as you can probably guess, 0:42
    gives you a random number below some other number. 0:44
    It's similar to random Rand range function but again it's meant for 0:48
    use in cryptographic scenarios. 0:52
    Probably more often though you're going to want a random number 0:54
    of a given number of bits, so of a given size. 0:57
    If you're generating keys for instance, 1:00
    it's really recommended to have a seed of at least 32 bytes which would be 256 bits. 1:02
    So randbits, and then we pass in the number of bits which we want 256 of them, 1:07
    and we get a number like that. 1:12
    Now that 256 is for current security recommendations. 1:15
    That number is only going to go up a CPUs use and GPUs become more powerful, and 1:20
    brute forcing operations get easier to use. 1:24
    There are three different functions for generating tokens and 1:28
    each of them taken number of tokens to use in the generation of that token. 1:30
    Well, let's get a 256 bit token, so 32 bytes. 1:34
    We can get bytes, hexadecimal or a token that would be URL friendly. 1:39
    Let's try the hex in URL versions. 1:43
    So secrets.token_hex, and we pass in the number of bytes and 1:44
    secrets.url or token URL safe and also the number of bytes 32. 1:50
    So those are both handy little tokens that we could use. 1:56
    Not a lot of difference between these two like they're both the same kind of range 2:00
    of characters. 2:03
    But still a good idea to use the URL safe method when you know your token is going 2:04
    to travel across the wire in a URL. 2:08
    Now we can use these tokens or tokens like them to encode a message, and 2:09
    then use the secrets module to make sure the message hasn't been tampered with. 2:13
    So I'm gonna import hmac, so 2:17
    that I can generate a cryptographically secure message. 2:19
    And then I'm going to a new token, and this time I'm going to use the token bytes 2:23
    because hmac expects a bytes string for the key. 2:28
    And again I want to be 32 bytes. 2:33
    If I look at token, it's a bunch of bytes, and let's make msg1 = hmac.new, 2:35
    and we're going to use that token to encrypt it. 2:42
    And we have to give a message here, so I'm just gonna say 'Hi there'. 2:45
    And the message needs to be bytes as well. 2:50
    So now, let's be sneaky, and we'll do msg1.copy and make a copy of that message. 2:52
    And then we'll do msg2.update 2:58
    'Sneaky sneaky', and we'll add a new message to it. 3:04
    So now I can use secrets.compare_digest. 3:08
    And I can compare msg1.digest to msg1.digest, 3:12
    and I get that that's true. 3:18
    Because it is, it's the exact same message that message has not changed. 3:21
    But if I compare msg1's digest to msg2's digest, I get false, since I tampered with 3:25
    the message by adding more data to it, the comparison fails for the second one. 3:31
    I'm sure the secrets module is going to get even more handy functions in 3:34
    the future so be sure to keep your eyes on it. 3:37
    There's lots more to explore in this update to Python. 3:40
    I've linked to the release notes in the teacher's notes. 3:43
    And you should go check out the related peps and documentation for 3:45
    these new features. 3:47
    I'll see you next time. 3:48

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up