Make WordPress Core

Opened 2 years ago

Closed 4 days ago

#25816 closed enhancement (duplicate)

Use a CSPRNG when generating passwords

Reported by: rmccue Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description (last modified by rmccue)

As Solar Designer (the author of the PHPass library that we use) pointed out on Twitter (1, 2), we don't use a CSPRNG in wp_generate_password() (and the underlying wp_rand()). The current implementation of wp_rand() uses mt_rand(), which is the Mersenne Twister PRNG. MT is not cryptographically secure, and Solar Designer also has a seed cracker for it.

We don't always need a CSPRNG, and wp_generate_password() is used for purposes other than passwords too (woo), so switching might not be ideal for everyone using it (since not everyone needs the string for passwords, but might just be for a random token string).

I'd like to propose we introduce wp_csrand() and use it by default in wp_generate_password(). I'd also like to add an extra parameter to wp_generate_password() to allow using mt_rand() instead, for non-cryptographic purposes.

Change History (7)

#1 @rmccue
2 years ago

  • Description modified (diff)

#2 @rmccue
2 years ago

Solar Designer also points out (1, 2, 3) that we have an implementation in PHPass that we can borrow from, as well as this implementation designed for DokuWiki.

#3 @tomdxw
2 years ago

  • Cc tom@… added

#4 @Denis-de-Bernardy
2 years ago

  • Cc ddebernardy@… added

#5 @chriscct7
10 days ago

  • Keywords needs-patch added

#6 @sarciszewski
4 days ago

As of 4.4 this should be resolved by the changesets attached to #28633

#7 @SergeyBiryukov
4 days ago

  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #28633.

Note: See TracTickets for help on using tickets.