search

davidaurelio / hashids-python

Implementation of hashids (http://hashids.org) in Python. Compatible with Python 2 and Python 3
MIT License
1.41k stars 106 forks source link

Salt Only uses first 43 Characters #43

Open coofercat opened 4 years ago

coofercat commented 4 years ago

I'm seeing that the salt is limited in usable length (contrary to popular assumptions that you should use a "long random string"). For example, here's a session:

>>> from hashids import Hashids
>>> Hashids('12345678901234567890123456789012345678901234').encode(1)
'WJ'
>>> Hashids('1234567890123456789012345678901234567890123').encode(1)
'WJ'
>>> Hashids('123456789012345678901234567890123456789012').encode(1)
'QN'

It doesn't seem to matter what the contents of the salt are, it's always 43 characters.

I can't immediately see the cause of this - it may be something to do with the length of the alphabet (62) minus the length of the separators (14) and something else. It doesn't seem to be dependent on the length of the number encoded (I tried 8, 16,32,64 and 128 bit numbers).

I'm not sure if this is a bug, an undocumented feature or my (mis)understanding, but thought it worth raising as consumers of this library do indeed recommend "a long and secure salt value...". If it is an undocumented feature, some explanation of why 43 characters would probably be helpful.

(edit: By chance, this also happens to be issue #43 :-) )

davidaurelio commented 4 years ago

Good question. I ported this from JS a long time ago. It might make sense to change this behaviour.