Re: One-line password generator

To: debian-user@lists.debian.org
Subject: Re: One-line password generator
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Fri, 01 Sep 2017 10:41:38 +0200
Message-id: <[🔎] 235577557751021025347@scdbackup.webframe.org>
In-reply-to: <[🔎] 23752755775289805788@scdbackup.webframe.org>
References: <[🔎] 23752755775289805788@scdbackup.webframe.org>

Hi,

i forgot to emphasize that each user should generate an own salt value by

  $ python
  >>> bcrypt.gensalt(16)
  '$2a$16$MS6A6ZrsJ30ZdqHVCMWMm.'

and put it into the bcrypt call of bcryptedpw.py

  p = bcrypt.hashpw(userpw, '$2a$16$MS6A6ZrsJ30ZdqHVCMWMm.')[-31:]

If many users would use the same salt, then it would be rewarding for
the attacker to memorize the bcrypted failed tries and to re-use them
very quickly for attacking the next user.


Have a nice day :)

Thomas

Reply to:

References:
- Re: One-line password generator
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Re: One-line password generator
Next by Date: Re: systemd says "org.freedesktop.systemd1.TransactionIsDestructive"
Previous by thread: Re: One-line password generator
Next by thread: Re: One-line password generator
Index(es):
- Date
- Thread