Simple API Key Generation in Python
Summary
I’m creating a REST API for my current Django project, and I want a good psuedo-random way to generate alpha numeric API keys. Outlined is a simple method which I believe makes pretty good psuedo-random keys.
Discussion
Like Session keys, API keys should be sufficiently unpredictable to be psuedo-random. To be unpredictable, no user variables (or timestamps) are encoded into the key.
Specifically, the key starts life as a 256bit number generated by the Mersenne Twister Pseudo Random Number Generator (PRNG).
>> str(random.getrandbits(256))
>>90035287577760653301955374895950037116738729760252440482985364146171806313429
Mersenne Twister itself is not considered cryptographically secure (it has been demonstrated that observing a sufficient number of iterates allows one to predict all future iterates).
To mitigate this problem, the 256bit number is cryptographically hashed using SHA-256.
>> hashlib.sha224( str(random.getrandbits(256)) ).hexdigest()
>> 654c6da8f3b0fd8fe819669daf07996738d21a53c02c731b0aee6373
The result is then Base64 encoded – which results in a string containing only lower and upper case alphabetical characters, and numbers – and also two special characters (usually ‘/’ and ‘+’).
A character-pair (eg: ‘aF’ or ‘zZ’) is then selected randomly (pseudo-randomly) from a pool of character-pairs; these are substituted (salted) for the non-alphanumeric characters left by the Base64 encoding.
The resulting string is a 38 character alphanumeric that is sufficiently large and unpredictable for an API key.
>> base64.b64encode(hashlib.sha256( str(random.getrandbits(256)) ).digest(), random.choice(['rA','aZ','gQ','hH','hG','aR','DD'])).rstrip(’==’)
>> mwkMqTWFnK0LzJHyfkeBGoS2hr2KG7WhHqSGX0SbDJ4
Conclusion
Without too much complication or any hardware source of randomness, this seems like a reasonable method for API key generation.
Revamp of Linux.com
Last year the Linux Foundation acquired the domain linux.com from sourceforge.
They’ve just relaunched with a Joomla based web site, and it looks like a really good start. Well done guys!
The new linux.com…
I am a craftbrewer
I really like this neat video featuring some of Americas leading craftbrewers:
“I Am A Craft Brewer” is a collaborative video representing the camaraderie, character and integrity of the American Craft Brewing movement. Created by Greg Koch, CEO of the Stone Brewing Co. and Chris & Jared of Redtail Media…and more than 35 amazing craft brewers from all over the country. The video was shown to a packed audience of 1700 craft brewers and industry members at the 2009 Craft Brewers Conference as an introduction to Greg’s Keynote Speech entitled “Be Remarkable: Collaboration Ethics Camaraderie Passion.”
After setting up a twitter account so long ago I can’t remember when or why, I just logged in to find I have a followers! They’re all people I know from the offline world. Well - all but 1 hot looking spam chick anyway. No offense if you’re not!
So from today I’m going to at least check twitter, and see how it goes.