WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 5 months ago

#25816 new enhancement

Use a CSPRNG when generating passwords

Reported by: rmccue Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description (last modified by rmccue)

As Solar Designer (the author of the PHPass library that we use) pointed out on Twitter (1, 2), we don't use a CSPRNG in wp_generate_password() (and the underlying wp_rand()). The current implementation of wp_rand() uses mt_rand(), which is the Mersenne Twister PRNG. MT is not cryptographically secure, and Solar Designer also has a seed cracker for it.

We don't always need a CSPRNG, and wp_generate_password() is used for purposes other than passwords too (woo), so switching might not be ideal for everyone using it (since not everyone needs the string for passwords, but might just be for a random token string).

I'd like to propose we introduce wp_csrand() and use it by default in wp_generate_password(). I'd also like to add an extra parameter to wp_generate_password() to allow using mt_rand() instead, for non-cryptographic purposes.

Change History (4)

comment:1 rmccue6 months ago

  • Description modified (diff)

comment:2 rmccue6 months ago

Solar Designer also points out (1, 2, 3) that we have an implementation in PHPass that we can borrow from, as well as this implementation designed for DokuWiki.

comment:3 tomdxw6 months ago

  • Cc tom@… added

comment:4 Denis-de-Bernardy5 months ago

  • Cc ddebernardy@… added
Note: See TracTickets for help on using tickets.