URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
Correct me if I'm wrong here but I believe we're going for the scenario where 
the attacker has to guess the `xxx` bits of entropy and they know that they 
have to do it. We're not actually coding `xxx` bits of entropy as we need more 
entropy bits to get a sufficient result (hence `length = 
int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`).
However! To the very first question of yours - unfortunately, there is a very 
small relation between the arguments in `__init__` and `__call__` as @tiran 
> I'm not clever enough to come up with an algorithm to calculate the length 
> with additional restrictions. My gut feeling tells me that less than 15% per 
> character class (3 for upper/lower case and symbols, 1 for digit) should be 
> ok.

From the code you can see that if a certain class of characters should not be 
used, it's not accounted for in the calculation of the final length of the 
password but that's about it - if a further restriction is made (>1 character 
of the give character class), this restriction is also not accounted for. But 
since we're the ones who'll be using this token generator, I think we could 
live with this. There should be a warning in a docstring somewhere, though.

edit: Just realized - the code is wrong, the restriction to a certain class == 
None should just mean that the characters from the given class could but don't 
have to appear in the password (thus still need to be accounted for), the 
restriction of a certain class == 0 should mean the character should not appear 
in the password and should not be accounted for in the length calculation.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to