Opened 14 years ago
Closed 14 years ago
#13969 closed Cleanup/optimization (fixed)
auth module should use longer salt for hashing
Reported by: | Craig Younkins | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.2 |
Severity: | Normal | Keywords: | security |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
As noted here - http://www.pythonsecurity.org/wiki/django/#authentication - the current auth module uses 5 hexadecimal characters as a salt. This is equivalent to 20 bits (log base 2 of 165). See http://code.djangoproject.com/browser/django/tags/releases/1.2.1/django/contrib/auth/models.py#L240
PKCS5 v2.1 draft (http://www.rsa.com/rsalabs/node.asp?id=2127) recommends that a salt of at least 64 bits be used. This will strengthen the password scheme by increasing the time needed for dictionary attacks.
Attachments (1)
Change History (8)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
comment:3 by , 14 years ago
Has patch: | set |
---|
Added patch that adds better salt generation with 12 random characters from a-z, A-Z, 0-9, equivalent to 71-bits of entropy.
It tries to use random.SystemRandom as the entropy pool, falling back to random if SystemRandom raises NotImplementedError, which will occur on operating systems without /dev/urandom or CryptGenRandom on Windows.
I ran the 1700 Django unit tests but did not test it in an application. Adding a regression test is not possible.
Craig Younkins
by , 14 years ago
Attachment: | better_salting.diff added |
---|
comment:4 by , 14 years ago
Patch needs improvement: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
This is a valid concern, and the code works for me, however I'm not a security expert so it could use another set of eyes.
It's a minor concern, but the example salt in the documentation probably ought to be updated as well, lest people think we're still only using a five-character salt: http://docs.djangoproject.com/en/dev/topics/auth/#passwords
comment:5 by , 14 years ago
Component: | Contrib apps → contrib.auth |
---|
comment:6 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → Cleanup/optimization |
Related thread on django-developers: http://groups.google.com/group/django-developers/browse_thread/thread/d192e244c63a71d0