Modify ↓
#7396 closed defect (fixed)
[patch] password salts and randomness length
| Reported by: | weasel | Owned by: | hasienda |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | password generation quality |
| Cc: | Trac Release: | 0.11 |
Description
Hey,
it appears salt() reads only 4 bytes of randomness but it actually wants 48 bits (6 bytes) worth.
Patch attached.
Attachments (1)
Change History (5)
Changed 3 years ago by weasel
comment:1 Changed 3 years ago by hasienda
- Keywords password generation quality added
- Summary changed from password salts and randomness length to [patch] password salts and randomness length
comment:2 Changed 3 years ago by hasienda
- Owner changed from mgood to hasienda
- Status changed from new to assigned
comment:3 Changed 3 years ago by hasienda
- Resolution set to fixed
- Status changed from assigned to closed
(In [9241]) AccountManagerPlugin: Correct init for password creation, closes #7396.
There are more urgent security related issues left, but his is too
easy to not fix it right away.
comment:4 Changed 23 months ago by hasienda
(In [10524]) AccountManagerPlugin: Add configurable salt string char count, refs #7396 and #8933.
Newer hash algorithms are capable of using more than 8 characters of salt.
For improved hash protection we'll feed them at maximum length.
Note: See
TracTickets for help on using
tickets.
I have to confess, that I wouldn't have spotted this on my own. Thank you very much for the report and the patch provided as well.