This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, gregory.p.smith
Date 2013-07-08.17:57:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
crypt.mksalt() creates a salt with a lower entropy than possible. It uses random.SystemRandom().sample() to generate a salt string from the set of 64 chars (string.ascii_letters + string.digits + './'). SystemRandom() uses a CPRNG (good) but sample() returns n UNIQUE members of the set (very bad). sample() reduces the set possible chars by one for each salt char.

Suggested fix:

salt = base64.b64encode(os.urandom(salt_chars * 3 // 4), b"./").decode("ascii")
Date User Action Args
2013-07-08 17:57:20christian.heimessetrecipients: + christian.heimes, gregory.p.smith
2013-07-08 17:57:20christian.heimessetmessageid: <>
2013-07-08 17:57:20christian.heimeslinkissue18405 messages
2013-07-08 17:57:19christian.heimescreate