Insecure crypto

[usrbinsam]

LicenseServer/auth.py

Line 48 in 9beb984

salt = ''.join(random.choice(ALPHABET) for i in range(16))

I would not trust the randomness of this function. You should use this module instead: https://docs.python.org/3/library/secrets.html#module-secrets.

LicenseServer/auth.py

Line 35 in 9beb984

return key == stored_key

This is vulnerable to a timing attack, Use a constant time comparison function or https://docs.python.org/3.6/library/hmac.html#hmac.compare_digest

LicenseServer/requirements.txt

Line 6 in 9beb984

passlib==1.7.1

I see you listed passlib as a requirement but you aren't using it, which supports sha256_crypt and it generates a salt for you, and includes a constant time comparison function. This would solve both of the above issues.

[pyskell]

Thanks! I agree on both points and will need to adopt these changes.