#16336 closed Uncategorized (duplicate)
Weak salts for auth backend
Reported by: | ninjaneo | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.3 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
Does not provide enough entropy, as its solely numeric, and always begins with: '0.'
That means it only increases complexity by 3 numbers. 10*10*10 = 1000 possibilities.
Noticed there is also no iterative hashing performed (rounds), which is crucial part of salting.
Perhaps use os.urandom?
Change History (3)
comment:1 by , 13 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:2 by , 13 years ago
Was refering to the use of str(random.random())[:5] sample output:
str(random.random())[:5]
'0.545'
'0.895'
etc.
comment:3 by , 13 years ago
Read the code again. Maybe try it in a Python interpreter. The function takes two long random inputs, hashes them, and only then truncates the resulting hash. The hash is truncated, not the random number. So you're really looking at 165 = 1048576 possibilities. I agree that it's still too short, but it's not at all as bad as you make it out to be.
When you report issues like this, please take the time to verify that the code actually works the way you think it does. It makes it a lot easier for everyone if the bug report doesn't contain misleading information.
Also, for the record, iterative hashing is an issue which is completely orthogonal to salting. They both contribute to security, but in different ways. Iterative hashing is related to algorithm choice. Salting is designed to prevent pre-computed dictionary attacks.
This has been discussed before. I'm not sure where you're getting "soley numeric" and "always starts with 0", but you might look at #15367, #5600, and #13969 for discussions of the length.
Closing as a dupe, most particularly of #13969.