Re: [Django] #31358: Increase default password salt size in BasePasswordHasher.

Mon, 22 Jun 2020 04:28:38 -0700 

#31358: Increase default password salt size in BasePasswordHasher.
--------------------------------------+------------------------------------
     Reporter:  Jon Moroney           |                    Owner:  nobody
         Type:  Cleanup/optimization  |                   Status:  new
    Component:  Utilities             |                  Version:  master
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  1                     |      Needs documentation:  1
  Needs tests:  0                     |  Patch needs improvement:  1
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------

Comment (by Florian Apolloner):

 Given that https://github.com/django/django/pull/12675 is nearing
 completion (I expect it to get merged soon), it is time to think about
 this again. I had time to refresh my memory on how the salts work for the
 algos in question. I think it would be a good idea to define the
 salt_length in actual terms of entropy and not the length of the resulting
 string.

 To that extend I think the default `salt` function should change to
 something along the lines of:
 {{{
     salt_len = 71 # information entropy in bits

     def salt(self):
         """Generate a cryptographically secure nonce salt in ASCII."""
         char_count = math.ceil(math.log10(math.pow(2, self.salt_len)) /
 math.log10(62))
         return get_random_string(char_count)
 }}}

 At this point I'd probably change the `encode()` function to accept an
 empty salt and let the hashers generate the salt themselves if needed
 (argon2 for instance could do well like this and passing a salt to bcrypt
 makes no sense either). This way we would also get rid of the weirdness of
 bytes vs ASCII in the salt string and could pass the output of
 `os.urandom(some_length)` to the algorithms directly -- although that will
 probably be not as easy since we do have to be able to translate the
 existing salt strings *scratches head*.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/31358#comment:40>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.92bcf86f795611870f10b74fae5da1bb%40djangoproject.com.

Reply via email to