replace random with secrets when generating passwords (#85971)

---------

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>

changelogs/fragments/replace-random-with-secrets.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - password lookup plugin - replace random.SystemRandom() with secrets.SystemRandom() when
+    generating passwords (https://github.com/ansible/ansible/issues/85956, https://github.com/ansible/ansible/pull/85971).

lib/ansible/plugins/lookup/password.py

@@ -67,7 +67,7 @@ DOCUMENTATION = """
         description:
           - A seed to initialize the random number generator.
           - Identical seeds will yield identical passwords.
-          - Use this for random-but-idempotent password generation.
+          - B(Note) that a weak seed, one without enough entropy, will not create a sufficiently secure encryption for the password.
         type: str
     notes:
       - A great alternative to the password lookup plugin,
@@ -113,7 +113,7 @@ EXAMPLES = """
   ansible.builtin.set_fact:
     random_pod_name: "web-{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=8) }}"
 
-- name: create random but idempotent password
+- name: create idempotent password for use in testing/CI, not recommended for production
   ansible.builtin.set_fact:
     password: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}"
 """

lib/ansible/utils/encrypt.py

@@ -63,9 +63,10 @@ def random_password(length=DEFAULT_PASSWORD_LENGTH, chars=C.DEFAULT_PASSWORD_CHA
         raise AnsibleAssertionError(f'{chars=!r} ({type(chars)}) is not a {type(str)}.')
 
     if seed is None:
-        random_generator = random.SystemRandom()
+        random_generator = secrets.SystemRandom()
     else:
         random_generator = random.Random(seed)
+
     return u''.join(random_generator.choice(chars) for dummy in range(length))