Ticket #7396 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

[patch] password salts and randomness length

Reported by: weasel Assigned to: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password generation quality
Cc: Trac Release: 0.11

Description

Hey,

it appears salt() reads only 4 bytes of randomness but it actually wants 48 bits (6 bytes) worth.

Patch attached.

Attachments

0001-Use-proper-length-of-urandom-fetch-for-salt.patch (0.7 kB) - added by weasel on 07/20/10 22:02:39.

Change History

07/20/10 22:02:39 changed by weasel

  • attachment 0001-Use-proper-length-of-urandom-fetch-for-salt.patch added.

09/26/10 17:05:47 changed by hasienda

  • keywords set to password generation quality.
  • summary changed from password salts and randomness length to [patch] password salts and randomness length.

10/02/10 00:40:52 changed by hasienda

  • owner changed from mgood to hasienda.
  • status changed from new to assigned.

I have to confess, that I wouldn't have spotted this on my own. Thank you very much for the report and the patch provided as well.

10/02/10 00:44:22 changed by hasienda

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [9241]) AccountManagerPlugin: Correct init for password creation, closes #7396.

There are more urgent security related issues left, but his is too easy to not fix it right away.

08/02/11 00:38:55 changed by hasienda

(In [10524]) AccountManagerPlugin: Add configurable salt string char count, refs #7396 and #8933.

Newer hash algorithms are capable of using more than 8 characters of salt. For improved hash protection we'll feed them at maximum length.

Add/Change #7396 ([patch] password salts and randomness length)




Change Properties
Action