Message192683
crypt.mksalt() creates a salt with a lower entropy than possible. It uses random.SystemRandom().sample() to generate a salt string from the set of 64 chars (string.ascii_letters + string.digits + './'). SystemRandom() uses a CPRNG (good) but sample() returns n UNIQUE members of the set (very bad). sample() reduces the set possible chars by one for each salt char.
Suggested fix:
salt = base64.b64encode(os.urandom(salt_chars * 3 // 4), b"./").decode("ascii") |
|
Date |
User |
Action |
Args |
2013-07-08 17:57:20 | christian.heimes | set | recipients:
+ christian.heimes, gregory.p.smith |
2013-07-08 17:57:20 | christian.heimes | set | messageid: <1373306240.23.0.797149936972.issue18405@psf.upfronthosting.co.za> |
2013-07-08 17:57:20 | christian.heimes | link | issue18405 messages |
2013-07-08 17:57:19 | christian.heimes | create | |
|