Author christian.heimes
Recipients SilentGhost, brett.cannon, christian.heimes, dmalcolm, ezio.melotti, jafo, nicdumz, pitrou, rhettinger
Date 2012-06-26.08:53:50
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1340700833.41.0.903294190834.issue10924@psf.upfronthosting.co.za>
In-reply-to
Content
I just found mksalt in the whatsnew section and got curious how you've implemented the function. IMHO it has one major security flaw.

The function uses random.choice(). The choice() function generates random values with a Mersenne Twister. However MTs are not suited for any cryptographic purpose and must not be used to generate passwords, session keys or salts.

The random.SystemRandom class uses os.urandom() as source which is a wrapper around /dev/urandom or the Windows crypto API. The output is suitable for short living states and salts.

I'm going to chance the implementation to a global instance of random.SystemRandom() and _sr.samples() as soon as Georg has cut beta 1.

_sr = random.SystemRandom()

s += ''.join(_sr.samples(_saltchars, method.salt_chars))
History
Date User Action Args
2012-06-26 08:53:54christian.heimessetrecipients: + christian.heimes, brett.cannon, rhettinger, jafo, pitrou, ezio.melotti, nicdumz, SilentGhost, dmalcolm
2012-06-26 08:53:53christian.heimessetmessageid: <1340700833.41.0.903294190834.issue10924@psf.upfronthosting.co.za>
2012-06-26 08:53:52christian.heimeslinkissue10924 messages
2012-06-26 08:53:50christian.heimescreate