Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#7396 closed defect (fixed)

[patch] password salts and randomness length

Reported by: weasel Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password generation quality
Cc: Trac Release: 0.11



it appears salt() reads only 4 bytes of randomness but it actually wants 48 bits (6 bytes) worth.

Patch attached.

Attachments (1)

0001-Use-proper-length-of-urandom-fetch-for-salt.patch (738 bytes) - added by weasel 4 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 4 years ago by hasienda

  • Keywords password generation quality added
  • Summary changed from password salts and randomness length to [patch] password salts and randomness length

comment:2 Changed 4 years ago by hasienda

  • Owner changed from mgood to hasienda
  • Status changed from new to assigned

I have to confess, that I wouldn't have spotted this on my own. Thank you very much for the report and the patch provided as well.

comment:3 Changed 4 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9241]) AccountManagerPlugin: Correct init for password creation, closes #7396.

There are more urgent security related issues left, but his is too
easy to not fix it right away.

comment:4 Changed 3 years ago by hasienda

(In [10524]) AccountManagerPlugin: Add configurable salt string char count, refs #7396 and #8933.

Newer hash algorithms are capable of using more than 8 characters of salt.
For improved hash protection we'll feed them at maximum length.

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.