Salts are generated poorly

Taavi Burns avatarTaavi Burns created an issue

This line of code: https://bitbucket.org/Shotca/flask-auth/src/c5f162dcd60146aac07048877b8fdd00f352361c/flaskext/auth/auth.py?at=default#cl-83

generates the default salt once, at module import time. It will not change again until the module's imported. This means that someone using this who does not override the default will have the same salt for all passwords generated until a server restart. This defeats the purpose of having a salt.

The default value should probably be a callable, evaluated by the function at call time.

I don't think it's a huge issue that the salts are guessable, but there are much better functions to use for such a value, such as os.urandom().

Comments (1)

  1. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.