[wp-trac] [WordPress Trac] #25816: Use a CSPRNG when generating passwords

WordPress Trac noreply at wordpress.org
Mon Nov 4 14:31:43 UTC 2013


#25816: Use a CSPRNG when generating passwords
-------------------------+------------------------------
 Reporter:  rmccue       |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+------------------------------
Description changed by rmccue:

Old description:

> As Solar Designer (the author of the PHPass library that we use) pointed
> out on Twitter ([https://twitter.com/solardiz/status/397355834638073856
> 1], [https://twitter.com/solardiz/status/397357245828440064 2]), we don't
> use a CSPRNG in `wp_generate_password()`. The current implementation of
> `wp_rand()` uses `mt_rand()`, which is the Mersenne Twister PRNG. MT is
> '''not cryptographically secure''', and Solar Designer also has a
> [http://www.openwall.com/php_mt_seed/ seed cracker] for it.
>
> We don't always need a CSPRNG, and `wp_generate_password()` is used for
> purposes other than passwords too (woo), so switching might not be ideal
> for everyone using it (since not everyone needs the string for passwords,
> but might just be for a random token string).
>
> I'd like to propose we introduce `wp_csrand()` and use it by default in
> `wp_generate_password()`. I'd also like to add an extra parameter to
> `wp_generate_password()` to allow using `mt_rand()` instead, for non-
> cryptographic purposes.

New description:

 As Solar Designer (the author of the PHPass library that we use) pointed
 out on Twitter ([https://twitter.com/solardiz/status/397355834638073856
 1], [https://twitter.com/solardiz/status/397357245828440064 2]), we don't
 use a CSPRNG in `wp_generate_password()` (and the underlying `wp_rand()`).
 The current implementation of `wp_rand()` uses `mt_rand()`, which is the
 Mersenne Twister PRNG. MT is '''not cryptographically secure''', and Solar
 Designer also has a [http://www.openwall.com/php_mt_seed/ seed cracker]
 for it.

 We don't always need a CSPRNG, and `wp_generate_password()` is used for
 purposes other than passwords too (woo), so switching might not be ideal
 for everyone using it (since not everyone needs the string for passwords,
 but might just be for a random token string).

 I'd like to propose we introduce `wp_csrand()` and use it by default in
 `wp_generate_password()`. I'd also like to add an extra parameter to
 `wp_generate_password()` to allow using `mt_rand()` instead, for non-
 cryptographic purposes.

--

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25816#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list