New submission from Christian Heimes: crypt.mksalt() creates a salt with a lower entropy than possible. It uses random.SystemRandom().sample() to generate a salt string from the set of 64 chars (string.ascii_letters + string.digits + './'). SystemRandom() uses a CPRNG (good) but sample() returns n UNIQUE members of the set (very bad). sample() reduces the set possible chars by one for each salt char.
Suggested fix: salt = base64.b64encode(os.urandom(salt_chars * 3 // 4), b"./").decode("ascii") ---------- assignee: christian.heimes components: Library (Lib) messages: 192683 nosy: christian.heimes, gregory.p.smith priority: critical severity: normal stage: patch review status: open title: crypt.mksalt() result has unnecessarily low entropy type: security versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18405> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com