Weak salts for auth backend
|Reported by:||ninjaneo||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
Does not provide enough entropy, as its solely numeric, and always begins with: '0.'
That means it only increases complexity by 3 numbers. 10*10*10 = 1000 possibilities.
Noticed there is also no iterative hashing performed (rounds), which is crucial part of salting.
Perhaps use os.urandom?
Change History (3)
comment:1 Changed 5 years ago by PaulM
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Resolution set to duplicate
- Status changed from new to closed