URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA
stlaz commented: """ Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`). However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says: > I'm not clever enough to come up with an algorithm to calculate the length > with additional restrictions. My gut feeling tells me that less than 15% per > character class (3 for upper/lower case and symbols, 1 for digit) should be > ok. From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
