[Patches] crypt.salt()
Guido van Rossum
guido@python.org
Tue, 16 May 2000 06:14:28 -0400
> I'll make this short. The crypt module requires a salt
> value that the user currently has to gen. I added
> crypt.salt() function that does this for them. It
> currently isn't much but its setup to scale to the
> current system.
This has been suggested before, but I don't like it.
First of all, by calling srand() you may upset another random sequence
that another C module might be in the middle of. Furthermore, the
rand() generator isn't cryptographically very strong (to put it
mildly), so you're generating salts that someone else could predict.
Next, how often are you creating new passwords with a Python script?
And if you are, and you don'y care about the strength of your password
generator, how hard is it to write the corresponding Python code?
--Guido van Rossum (home page: http://www.python.org/~guido/)