Insufficient Token Length

Tokens are often used as security-critical elements, such as for authentication, session management, or as part of cryptographic operations. The strength of a token is significantly influenced by its length and the randomness of its generation. Tokens with insufficient byte lengths lack the necessary entropy to withstand brute-force attacks, leading to a potential compromise of the system's security integrity.

All calls to secrets.token_bytes(), secrets.token_hex(), and secrets.token_urlsafe() MUST specify a byte size of at least 32. This requirement ensures that the generated tokens have a strong level of cryptographic security, reducing the risk of unauthorized access through token prediction or brute-force attacks.

Example

import secrets


token = secrets.token_bytes(16)

Remediation

Its recommended to increase the token size to at least 32 bytes or leave the nbytes parameter unset or set to None to use a default entropy.

import secrets


token = secrets.token_bytes()

See also

• secrets — Generate secure random numbers for managing secrets
• CWE-326: Inadequate Encryption Strength

New in version 0.3.14