Modify ↓
#7396 closed defect (fixed)
[patch] password salts and randomness length
| Reported by: | Peter Palfrader | Owned by: | Steffen Hoffmann |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | password generation quality |
| Cc: | Trac Release: | 0.11 |
Description
Hey,
it appears salt() reads only 4 bytes of randomness but it actually wants 48 bits (6 bytes) worth.
Patch attached.
Attachments (1)
Change History (5)
Changed 14 years ago by
| Attachment: | 0001-Use-proper-length-of-urandom-fetch-for-salt.patch added |
|---|
comment:1 Changed 14 years ago by
| Keywords: | password generation quality added |
|---|---|
| Summary: | password salts and randomness length → [patch] password salts and randomness length |
comment:2 Changed 14 years ago by
| Owner: | changed from Matt Good to Steffen Hoffmann |
|---|---|
| Status: | new → assigned |
comment:3 Changed 14 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
(In [9241]) AccountManagerPlugin: Correct init for password creation, closes #7396.
There are more urgent security related issues left, but his is too easy to not fix it right away.
comment:4 Changed 13 years ago by
(In [10524]) AccountManagerPlugin: Add configurable salt string char count, refs #7396 and #8933.
Newer hash algorithms are capable of using more than 8 characters of salt. For improved hash protection we'll feed them at maximum length.
Note: See
TracTickets for help on using
tickets.
I have to confess, that I wouldn't have spotted this on my own. Thank you very much for the report and the patch provided as well.