Christian Heimes <li...@cheimes.de> added the comment: I just found mksalt in the whatsnew section and got curious how you've implemented the function. IMHO it has one major security flaw.
The function uses random.choice(). The choice() function generates random values with a Mersenne Twister. However MTs are not suited for any cryptographic purpose and must not be used to generate passwords, session keys or salts. The random.SystemRandom class uses os.urandom() as source which is a wrapper around /dev/urandom or the Windows crypto API. The output is suitable for short living states and salts. I'm going to chance the implementation to a global instance of random.SystemRandom() and _sr.samples() as soon as Georg has cut beta 1. _sr = random.SystemRandom() s += ''.join(_sr.samples(_saltchars, method.salt_chars)) ---------- assignee: brett.cannon -> christian.heimes nosy: +christian.heimes resolution: fixed -> status: closed -> open type: enhancement -> security _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue10924> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
