Modify

Opened 7 years ago

Closed 7 years ago

Last modified 6 years ago

#7396 closed defect (fixed)

[patch] password salts and randomness length

Reported by: Peter Palfrader Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password generation quality
Cc: Trac Release: 0.11

Description

Hey,

it appears salt() reads only 4 bytes of randomness but it actually wants 48 bits (6 bytes) worth.

Patch attached.

Attachments (1)

0001-Use-proper-length-of-urandom-fetch-for-salt.patch (738 bytes) - added by Peter Palfrader 7 years ago.

Download all attachments as: .zip

Change History (5)

Changed 7 years ago by Peter Palfrader

comment:1 Changed 7 years ago by Steffen Hoffmann

Keywords: password generation quality added
Summary: password salts and randomness length[patch] password salts and randomness length

comment:2 Changed 7 years ago by Steffen Hoffmann

Owner: changed from Matt Good to Steffen Hoffmann
Status: newassigned

I have to confess, that I wouldn't have spotted this on my own. Thank you very much for the report and the patch provided as well.

comment:3 Changed 7 years ago by Steffen Hoffmann

Resolution: fixed
Status: assignedclosed

(In [9241]) AccountManagerPlugin: Correct init for password creation, closes #7396.

There are more urgent security related issues left, but his is too easy to not fix it right away.

comment:4 Changed 6 years ago by Steffen Hoffmann

(In [10524]) AccountManagerPlugin: Add configurable salt string char count, refs #7396 and #8933.

Newer hash algorithms are capable of using more than 8 characters of salt. For improved hash protection we'll feed them at maximum length.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.