Univention Bugzilla – Bug 50728
Insecure password generation
Last modified: 2020-03-24 09:02:38 CET
There are several location with dubios code for password generation: management/univention-self-service/umc/python/passwordreset/__init__.py Instance.create_token() population = ''.join(set(string.ascii_letters) | set(string.digits) - {"0", "O", "1", "I", "l"}) With Python 3.6 (Stretch only has 3.5, Buster has 3.7) <https://docs.python.org/3/library/random.html#random.choices> should be used. management/univention-self-service/umc/python/passwordreset/__init__.py Instance.create_token() services/univention-squid/squid_ldap_ntlm_auth createNtlmTypeTwo()
Can you explain? The code is actually the following and uses random.SystemRandom() which is not a PRNG and safe for cryptographic use: » @staticmethod » def create_token(length): » » # remove easily confusable characters » » chars = string.ascii_letters.replace("l", "").replace("I", "").replace("O", "") + "".join(map(str, range(2, 10))) » » rand = random.SystemRandom() » » res = "" » » for _ in range(length): » » » res += rand.choice(chars) » » return res While the other example, is broken: 486 def createNtlmTypeTwo(): 487 488 » challenge = "".join(random.sample(string.printable + "0123456789", 8))