Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#7396 closed defect (fixed)

[patch] password salts and randomness length

Reported by: Peter Palfrader Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password generation quality
Cc: Trac Release: 0.11



it appears salt() reads only 4 bytes of randomness but it actually wants 48 bits (6 bytes) worth.

Patch attached.

Attachments (1)

0001-Use-proper-length-of-urandom-fetch-for-salt.patch (738 bytes) - added by Peter Palfrader 14 years ago.

Download all attachments as: .zip

Change History (5)

Changed 14 years ago by Peter Palfrader

comment:1 Changed 14 years ago by Steffen Hoffmann

Keywords: password generation quality added
Summary: password salts and randomness length[patch] password salts and randomness length

comment:2 Changed 14 years ago by Steffen Hoffmann

Owner: changed from Matt Good to Steffen Hoffmann
Status: newassigned

I have to confess, that I wouldn't have spotted this on my own. Thank you very much for the report and the patch provided as well.

comment:3 Changed 14 years ago by Steffen Hoffmann

Resolution: fixed
Status: assignedclosed

(In [9241]) AccountManagerPlugin: Correct init for password creation, closes #7396.

There are more urgent security related issues left, but his is too easy to not fix it right away.

comment:4 Changed 13 years ago by Steffen Hoffmann

(In [10524]) AccountManagerPlugin: Add configurable salt string char count, refs #7396 and #8933.

Newer hash algorithms are capable of using more than 8 characters of salt. For improved hash protection we'll feed them at maximum length.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.