Use cryptographically secure random source for password generation

[daurnimator]

Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.

• Severity: Low
• Confidence: High
• Location: mtls/mtls.py:448
• More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random

447	        for c in range(10):
448	            pw.append(random.choice(wordList))
449	        return " ".join(pw).rstrip()

[drGrove]

Thanks for the notice!

It looks like Python 3.6 now supports "secure" random number generation and we wouldn't have to use cryptography (which isn't actually a big deal since we already use it).

If you'd like to make a PR for this it's definitely welcome or I can look into fixing this sometime this week.

[nocturn9x]

Hi, wouldn't something like random.SystemRandom().choice() work?

[M-S-10]

Hi! I would like to work on this, please assign the issue.