[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
"""
Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`).
However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says:
> I'm not clever enough to come up with an algorithm to calculate the length with additional restrictions. My gut feeling tells me that less than 15% per character class (3 for upper/lower case and symbols, 1 for digit) should be ok.
From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288