URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

tiran commented:
Please don't use a hack like sha1() to turn a random byte sequence into a hex 
value. At best sha1 keeps the entropy of the input. I also don't like the fact 
that the function only cares about the length of the output. The actual length 
is irrelevant. We care about the entropy of the output.

Let's drop pwd_len and apply proper math instead:

import math
import random
import string

alnum = string.ascii_letters + string.digits
sysrandom = random.SystemRandom()  # uses os.urandom() as RNG

def mkpasswd(entropy_bits=128, symbols=alnum):
    length = int(math.ceil(entropy_bits / math.log(len(symbols), 2)))
    return ''.join(sysrandom.choice(symbols) for _ in range(length))

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to