Adding "bits of entropy" argument to crypto.get_random_string

[Nick Timkovich]

Rather than guess at the appropriate string length to get some level of security, I'd like to add a (minimum) bits of entropy argument to get_random_string, so I could say something like get_random_string(bits=256) and have it do the math for me: math.ceil(bits / math.log2(len(allowed_chars))).

Not sure what should happen if both bits and length are specified, let bits override? ValueError? whichever is longer/more random/secure (maybe then call it min_bits)?

I seem to recycle that snippet in many of my projects, and I hope it would be useful for others. 

[Moritz Sichert]

Can't you just define your own function called "get_random_string_entropy" that
calculates the length and then calls get_random_string?
What would be the benefit of doing that in Django directly?

[Nick Timkovich]

By the presence of a "bits" measure in the documentation of the function it seems to be known that it's a measure of interest. The benefit of adding it into Django is that by review of others it can be assured to be correct and will reduce the likelihood of security-related bugs. A bit contrived, perhaps, but as adding such a parameter requires no external dependencies, the bar shouldn't be terribly high.

[Tim Graham]

My opinion is that django.utils needn't grow features that Django itself doesn't use.

[Nick Timkovich]

When get_random_string is being used in get_random_secret_key, or CSRF key generation, would it be advantageous to specify the strength