Changes between Initial Version and Version 1 of Ticket #25816
- Timestamp:
- 11/04/2013 02:31:43 PM (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #25816 – Description
initial v1 1 As Solar Designer (the author of the PHPass library that we use) pointed out on Twitter ([https://twitter.com/solardiz/status/397355834638073856 1], [https://twitter.com/solardiz/status/397357245828440064 2]), we don't use a CSPRNG in `wp_generate_password()` . The current implementation of `wp_rand()` uses `mt_rand()`, which is the Mersenne Twister PRNG. MT is '''not cryptographically secure''', and Solar Designer also has a [http://www.openwall.com/php_mt_seed/ seed cracker] for it.1 As Solar Designer (the author of the PHPass library that we use) pointed out on Twitter ([https://twitter.com/solardiz/status/397355834638073856 1], [https://twitter.com/solardiz/status/397357245828440064 2]), we don't use a CSPRNG in `wp_generate_password()` (and the underlying `wp_rand()`). The current implementation of `wp_rand()` uses `mt_rand()`, which is the Mersenne Twister PRNG. MT is '''not cryptographically secure''', and Solar Designer also has a [http://www.openwall.com/php_mt_seed/ seed cracker] for it. 2 2 3 3 We don't always need a CSPRNG, and `wp_generate_password()` is used for purposes other than passwords too (woo), so switching might not be ideal for everyone using it (since not everyone needs the string for passwords, but might just be for a random token string).