Ensure generated passwords meet minimum complexity

Windows has a complexity requirement of at least three of these criteria: - one or more upper case characters - one or more lower case characters - one or more numbers - one or more special characters In some cases, the passwords generated didn't meet three of these four critera. This change enforces that three of these criteria will be met in the generated passwords. Change-Id: Ibe0055b8830b426aee1c9b722cc2fae2f5db4c5c
2011-12-29 17:23:27 +00:00
parent bc4162e10d
commit a980e30136
1 changed files with 29 additions and 6 deletions
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -351,13 +351,13 @@ def generate_uid(topic, size=8):

 # Default symbols to use for passwords. Avoids visually confusing characters.
 # ~6 bits per symbol
-DEFAULT_PASSWORD_SYMBOLS = ('23456789'  # Removed: 0,1
-                            'ABCDEFGHJKLMNPQRSTUVWXYZ'  # Removed: I, O
+DEFAULT_PASSWORD_SYMBOLS = ('23456789',  # Removed: 0,1
+                            'ABCDEFGHJKLMNPQRSTUVWXYZ',   # Removed: I, O
                            'abcdefghijkmnopqrstuvwxyz')  # Removed: l


 # ~5 bits per symbol
-EASIER_PASSWORD_SYMBOLS = ('23456789'  # Removed: 0, 1
+EASIER_PASSWORD_SYMBOLS = ('23456789',  # Removed: 0, 1
                           'ABCDEFGHJKLMNPQRSTUVWXYZ')  # Removed: I, O


@@ -421,14 +421,37 @@ def usage_from_instance(instance_ref, **kw):
    return usage_info


-def generate_password(length=20, symbols=DEFAULT_PASSWORD_SYMBOLS):
-    """Generate a random password from the supplied symbols.
+def generate_password(length=20, symbolgroups=DEFAULT_PASSWORD_SYMBOLS):
+    """Generate a random password from the supplied symbol groups.
+
+    At least one symbol from each group will be included. Unpredictable
+    results if length is less than the number of symbol groups.

    Believed to be reasonably secure (with a reasonable password length!)

    """
    r = random.SystemRandom()
-    return ''.join([r.choice(symbols) for _i in xrange(length)])
+
+    # NOTE(jerdfelt): Some password policies require at least one character
+    # from each group of symbols, so start off with one random character
+    # from each symbol group
+    password = [r.choice(s) for s in symbolgroups]
+    # If length < len(symbolgroups), the leading characters will only
+    # be from the first length groups. Try our best to not be predictable
+    # by shuffling and then truncating.
+    r.shuffle(password)
+    password = password[:length]
+    length -= len(password)
+
+    # then fill with random characters from all symbol groups
+    symbols = ''.join(symbolgroups)
+    password.extend([r.choice(symbols) for _i in xrange(length)])
+
+    # finally shuffle to ensure first x characters aren't from a
+    # predictable group
+    r.shuffle(password)
+
+    return ''.join(password)


 def last_octet(address):