Opened 7 years ago

Closed 6 years ago

Last modified 5 years ago

#7396 closed defect (fixed)

[patch] password salts and randomness length

Reported by: weasel Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password generation quality
Cc: Trac Release: 0.11



it appears salt() reads only 4 bytes of randomness but it actually wants 48 bits (6 bytes) worth.

Patch attached.

Attachments (1)

0001-Use-proper-length-of-urandom-fetch-for-salt.patch (738 bytes) - added by weasel 7 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 6 years ago by hasienda

  • Keywords password generation quality added
  • Summary changed from password salts and randomness length to [patch] password salts and randomness length

comment:2 Changed 6 years ago by hasienda

  • Owner changed from mgood to hasienda
  • Status changed from new to assigned

I have to confess, that I wouldn't have spotted this on my own. Thank you very much for the report and the patch provided as well.

comment:3 Changed 6 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9241]) AccountManagerPlugin: Correct init for password creation, closes #7396.

There are more urgent security related issues left, but his is too easy to not fix it right away.

comment:4 Changed 5 years ago by hasienda

(In [10524]) AccountManagerPlugin: Add configurable salt string char count, refs #7396 and #8933.

Newer hash algorithms are capable of using more than 8 characters of salt. For improved hash protection we'll feed them at maximum length.

Add Comment

Modify Ticket

as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.