Python Cookbook security bug

Paul Rubin phr-n2002b at NOSPAMnightsong.com
Sun Aug 11 01:47:11 CEST 2002


I just got the Python Cookbook which looks very nice.  However, the
random password function on page 238 should not be used.  It uses a
non-cryptographic RNG which is seeded with only a low amount of
entropy.  If an attacker can see a user's /etc/password entry
containing the password hash, and (optionally) knows approximately
when the account was created, s/he can recover the password by simply
trying all possible initial states of the RNG.  If a bunch of new
accounts are created at the same time, it's even easier--breaking just
one of them gives you all of them.  And we haven't even talked about
attacks against the WH RNG algorithm rather than just its initial
state.

The "pastiche" method in the next recipe is even worse.  The passwords
it generates aren't especially easier to remember than random ones,
and the markov scheme destroys much of what little entropy there is to
start with.  Unless your computer has some bogus limitation on the
length of passwords (e.g. Solaris has an 8-char limit), it's generally
better to use a random phrase (several words chosen randomly from a
dictionary) rather than a random combination of letters.

Finally, the advice against writing down passwords is perhaps
overemphasized.  If you write down a password on a piece of paper,
it's true that you might lose it or someone might find it, but at
least the paper won't normally be found by any type of computer
attack.  If you write it on a slip of paper in your wallet and keep a
backup in a safe place, you're probably ok.

See www.diceware.com for much sounder advice about generating secure
passphrases than the Cookbook gives.  A Javascript page that generates
such phrases is at:

  http://www.nightsong.com/dice.php

One lesson from this is that Python desperately needs a secure RNG
function.  Unfortunately, those are very difficult to write
platform-independently.



More information about the Python-list mailing list