[Openstack] OS API server password generation

Justin Santa Barbara justin at fathomdb.com
Thu Mar 3 01:33:57 UTC 2011


We should be "secure out of the box", and not require the user to change
their password or manually lock down SSH to disable password auth.

A secure password would still be just as readable: I was thinking we'd use
the secure bytes to generate a readable password (either using them as a
seed or e.g. by mapping 5 bits at a time).  By using only 5 bits, we can
skip some of the trickier letter pairs e.g. 1/I or 0/O.



On Wed, Mar 2, 2011 at 5:17 PM, Ed Leafe <ed at leafe.com> wrote:

> On Mar 2, 2011, at 8:01 PM, Justin Santa Barbara wrote:
>
> > Also, I know security through obscurity isn't really security, but if
> we're open source, I think we must have "strong" password generation,
> whatever may or may not have been the case in the past.  I suggest beefing
> up the generate_password function to make use of os.urandom (which I know
> isn't perfect either, but is probably secure enough for anyone willing to
> rely on a password)
>
>         The general process (at least in Rackspace Cloud Servers) is to
> create an initial root password which we then display for the instance
> owner; he/she can then shell in and change it to whatever they like. So I
> think that at best the os.urandom generator should be an option, with the
> less secure but easier to communicate password scheme also available.
>
>
> -- Ed Leafe
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110302/4649640d/attachment.html>


More information about the Openstack mailing list