== How to fix it in Python Standard Library

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
import hashlib

hash = hashlib.scrypt(password, salt=b"F3MdWpeHeeSjlUxvKBnzzA", n=2**17, r=8, p=1) # Noncompliant
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
import hashlib
import secrets

salt = secrets.token_bytes(32)
hash = hashlib.scrypt(password, salt=salt, n=2**17, r=8, p=1)
----

=== How does this work?

include::../../common/fix/salt.adoc[]

Here, the compliant code example ensures the salt is random and has a sufficient
length by calling the `secrets.token_bytes` function. This one internally uses a
cryptographically secure pseudo random number generator.