[wp-trac] [WordPress Trac] #25816: Use a CSPRNG when generating passwords
WordPress Trac
noreply at wordpress.org
Mon Nov 4 14:31:43 UTC 2013
#25816: Use a CSPRNG when generating passwords
-------------------------+------------------------------
Reporter: rmccue | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: |
-------------------------+------------------------------
Description changed by rmccue:
Old description:
> As Solar Designer (the author of the PHPass library that we use) pointed
> out on Twitter ([https://twitter.com/solardiz/status/397355834638073856
> 1], [https://twitter.com/solardiz/status/397357245828440064 2]), we don't
> use a CSPRNG in `wp_generate_password()`. The current implementation of
> `wp_rand()` uses `mt_rand()`, which is the Mersenne Twister PRNG. MT is
> '''not cryptographically secure''', and Solar Designer also has a
> [http://www.openwall.com/php_mt_seed/ seed cracker] for it.
>
> We don't always need a CSPRNG, and `wp_generate_password()` is used for
> purposes other than passwords too (woo), so switching might not be ideal
> for everyone using it (since not everyone needs the string for passwords,
> but might just be for a random token string).
>
> I'd like to propose we introduce `wp_csrand()` and use it by default in
> `wp_generate_password()`. I'd also like to add an extra parameter to
> `wp_generate_password()` to allow using `mt_rand()` instead, for non-
> cryptographic purposes.
New description:
As Solar Designer (the author of the PHPass library that we use) pointed
out on Twitter ([https://twitter.com/solardiz/status/397355834638073856
1], [https://twitter.com/solardiz/status/397357245828440064 2]), we don't
use a CSPRNG in `wp_generate_password()` (and the underlying `wp_rand()`).
The current implementation of `wp_rand()` uses `mt_rand()`, which is the
Mersenne Twister PRNG. MT is '''not cryptographically secure''', and Solar
Designer also has a [http://www.openwall.com/php_mt_seed/ seed cracker]
for it.
We don't always need a CSPRNG, and `wp_generate_password()` is used for
purposes other than passwords too (woo), so switching might not be ideal
for everyone using it (since not everyone needs the string for passwords,
but might just be for a random token string).
I'd like to propose we introduce `wp_csrand()` and use it by default in
`wp_generate_password()`. I'd also like to add an extra parameter to
`wp_generate_password()` to allow using `mt_rand()` instead, for non-
cryptographic purposes.
--
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25816#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list