Github user bhaisaab commented on the pull request:
https://github.com/apache/cloudstack/pull/841#issuecomment-140684521
I think the PasswordGenerator.generateRandomPassword (from utils) is not
secure at all for small lengths (such as the default 6), since it's not really
random ("random 3-character string with a lowercase character, uppercase
character, and a digit" + random n-character string with only lowercase
characters") and one could create a rainbow table to attempt to get into
systemvms. In case of uservms, it is advised to change the password; but in
case of systemvms it will be an issue. In case of systemvms, may be we can
still directly use the PasswordGenerator util but increase the length to 24 or
32 or 24+rand integer?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
