URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
Correct me if I'm wrong here but I believe we're going for the scenario where 
the attacker has to guess the `xxx` bits of entropy and they know that they 
have to do it. We're not actually coding `xxx` bits of entropy as we need more 
entropy bits to get a sufficient result (hence `length = 
int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`).
However! To the very first question of yours - unfortunately, there is a very 
small relation between the arguments in `__init__` and `__call__` as @tiran 
> I'm not clever enough to come up with an algorithm to calculate the length 
> with additional restrictions. My gut feeling tells me that less than 15% per 
> character class (3 for upper/lower case and symbols, 1 for digit) should be 
> ok.
From the code you can see that if a certain class of characters should not be 
used, it's not accounted for in the calculation of the final length of the 
password but that's about it - if a further restriction is made (>1 character 
of the give character class), this restriction is also not accounted for. But 
since we're the ones who'll be using this token generator, I think we could 
live with this. There should be a warning in a docstring somewhere, though.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to