[New-bugs-announce] [issue18405] crypt.mksalt() result has unnecessarily low entropy
Christian Heimes
report at bugs.python.org
Mon Jul 8 19:57:20 CEST 2013
New submission from Christian Heimes:
crypt.mksalt() creates a salt with a lower entropy than possible. It uses random.SystemRandom().sample() to generate a salt string from the set of 64 chars (string.ascii_letters + string.digits + './'). SystemRandom() uses a CPRNG (good) but sample() returns n UNIQUE members of the set (very bad). sample() reduces the set possible chars by one for each salt char.
Suggested fix:
salt = base64.b64encode(os.urandom(salt_chars * 3 // 4), b"./").decode("ascii")
----------
assignee: christian.heimes
components: Library (Lib)
messages: 192683
nosy: christian.heimes, gregory.p.smith
priority: critical
severity: normal
stage: patch review
status: open
title: crypt.mksalt() result has unnecessarily low entropy
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18405>
_______________________________________
More information about the New-bugs-announce
mailing list