Cryptographic exercises should highlight the existence of the secrets module

[N-Parsons]

Python 3.6 introduced the secrets module, which provides cryptographically stronger randomness than the random module. Since this is only available in Python 3.6+, random needs to be used in the example code in order maintain backwards compatibility.

I think it's important that any exercise involving cryptography should highlight the existence of the secrets module in Python 3.6+ and explain why it is highly preferable to random for creating secure cryptography.

During a discussion on PR #756, @m-a-ge suggested that this be raised as an issue, and that a HINTS.md drafted for cryptographic exercises. The suggested wording for the HINTS.md is given below and is based on the wording submitted by @kusti8.

Suggested wording:

Python, as of version 3.6, includes two different random modules. The module called random is pseudo-random, meaning it does not generate true randomness, but follows and algorithm that simulates randomness. Since random numbers are generated through a known algorithm, they are not truly random. The random module is not correctly suited for cryptography and should not be used, because it is pseudo-random. In version 3.6, Python introduced the secrets module, which generates cryptographically strong random numbers that provide the greater security required for cryptography. Since this is only an exercise, random is fine to use, but note that it would be very insecure if actually used for cryptography.

[lucasloisp]

Said file (HINTS.md) should be added to every cryptography exercise, is that correct?

[ilya-khadykin]

@exercism/python,
what about other exercises other than diffie-hellman and simple-cipher?
Do we have a full list of exercises to add a hint?

[cmccandless]

@m-a-ge I believe those are the only exercises using random for cryptography at this time, but I'm happy to be corrected.

[ilya-khadykin]

Ah, Ok then, I just wanted to make sure.
Closing the issue