django.contrib.auth and salt generation

14 views
Skip to first unread message

ludvig.ericson

unread,
Sep 15, 2008, 4:31:02 PM9/15/08
to Django developers
Hey,
I was making my own auth backend for Django, which usually involves
copying a lot of code from django.contrib.auth when I noticed the
following:

salt = get_hexdigest(algo, str(random.random()),
str(random.random()))[:5]

My problem with this code is the use of random.random, and the use of
get_hexdigest.
The latter takes an algo, a value, and a salt and returns a hash in
hexadecimal representation.

First off, why str(random.random())? This effectively limits entropy
to 0-9 and a dot.
Second, why get_hexdigest? It's a salt, nothing says it has to be 0-9a-
f.

My suggested replacement:
salt = ""
for x in xrange(5):
salt += random.choice(string.letters + string.digits)

(If you want to make some unreadable, 100-width list comprehension, be
my guest.)

Just mere contemplations,
Ludvig

Fredrik Lundh

unread,
Sep 15, 2008, 4:56:51 PM9/15/08
to django-d...@googlegroups.com
ludvig.ericson wrote:

> First off, why str(random.random())? This effectively limits entropy
> to 0-9 and a dot.

your use of entropy is a bit odd: str(random.random()) can return 1e12
different strings (which is, afaik, more than the underlying random
number generator can produce).

</F>

Ludvig Ericson

unread,
Sep 15, 2008, 6:25:41 PM9/15/08
to django-d...@googlegroups.com
On Sep 15, 2008, at 22:56, Fredrik Lundh wrote:

> your use of entropy is a bit odd: str(random.random()) can return 1e12
> different strings (which is, afaik, more than the underlying random
> number generator can produce).

Yes, I didn't really communicate my concern.

If you do simple statistical analysis of the bits returned, you'll
quickly notice patterns - and if I understand hashing correctly, there
ought to be better distribution for more varying input (though this
depends on the algorithm.)

However, the str(random.random()) doesn't matter as much as the usage
of get_hexdigest - THAT limits the possible salts to 5 ** 16, while my
proposition limits it to 5 ** 62. That's a difference of
21684043449710088680149056017398681640625000 combinations, unless I
suck at maths (tm).

Ludvig Ericson
ludvig....@gmail.com

Ian Kelly

unread,
Sep 15, 2008, 6:35:12 PM9/15/08
to django-d...@googlegroups.com
On Mon, Sep 15, 2008 at 4:25 PM, Ludvig Ericson
<ludvig....@gmail.com> wrote:
> However, the str(random.random()) doesn't matter as much as the usage
> of get_hexdigest - THAT limits the possible salts to 5 ** 16, while my
> proposition limits it to 5 ** 62. That's a difference of
> 21684043449710088680149056017398681640625000 combinations, unless I
> suck at maths (tm).

Actually, it's the difference between 16 ** 5 and 62 ** 5, which is
only about 900,000,000. But I agree: unless there's some reason to be
using hex numbers, the salt shouldn't be limited like that. Have you
submitted a patch?

-Ian

Ludvig Ericson

unread,
Sep 16, 2008, 1:25:50 AM9/16/08
to django-d...@googlegroups.com

Oh yeah, of course.

I submitted ticket #9101 with a patch attached, tested the gist of it
on Python 2.3 as well.

Ludvig "toxik" Ericson
ludvig....@gmail.com

Reply all
Reply to author
Forward
0 new messages