Opened 7 years ago
Last modified 7 years ago
#44032 new enhancement
Use random_bytes() for generating keys and salts
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | trivial | Version: | |
Component: | Upgrade/Install | Keywords: | has-patch |
Focuses: | Cc: |
Description
While auditing WordPress for remote queries the servers make, I noticed the generation of salts in wp-admin.php is wasteful with an unnecessary loop inside a loop. If the system php supports random_int it also supports random_bytes.
Attached patch generates 64 byte (512 bit) salts without needed the 64 round loop inside the 8 round loop loop.
Attachments (1)
Change History (3)
#1
@
7 years ago
Adding a couple notes -
A) This makes it much easier to see how much entropy is in the generation of the salt as you do not need to calculate the size if the dictionary.
B) This makes it much easier to adjust how much entropy is in the generation of the salt if needed to meet some guidelines (e.g. if NIST or someone were to publish guidelines saying salts needed 384 bits of entropy or something like that to comply with a certain standard)
There already are strong suggestions that a nonce used as CSRF token have 128 bits of entropy for example, so it wouldn't surprise me is salts soon had similar guidelines too.
change to setup-config