[Patches] crypt.salt()

Tue, 16 May 2000 11:58:23 -0700 (PDT)

On Tue, 16 May 2000, Guido van Rossum wrote:
> > I'll make this short.  The crypt module requires a salt
> > value that the user currently has to gen.  I added 
> > crypt.salt() function that does this for them.  It
> > currently isn't much but its setup to scale to the
> > current system.
> 
> This has been suggested before, but I don't like it.
> 
> First of all, by calling srand() you may upset another random sequence
> that another C module might be in the middle of.

I was going to mention the same thing. It also appears that you don't
null-terminate the salt string before passing it to PyString_FromString.

> Furthermore, the
> rand() generator isn't cryptographically very strong (to put it
> mildly), so you're generating salts that someone else could predict.
> Next, how often are you creating new passwords with a Python script?
> And if you are, and you don'y care about the strength of your password
> generator, how hard is it to write the corresponding Python code?

And Guido provides the ultimate nix: this function is just way too easy to
write in Python. I don't see a need to write it in C code.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/