From 660d3a57d6e96f9920a32412120d39d45de55f26 Mon Sep 17 00:00:00 2001 From: Scott Arciszewski Date: Thu, 13 Feb 2014 13:26:54 -0500 Subject: [PATCH] Inconsistently insecure Why use a strong random number generator in one place, but not another? I know salts have no cryptographic security requirement, but collisions are less likely if you use one. --- framework/helpers/BaseSecurity.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/framework/helpers/BaseSecurity.php b/framework/helpers/BaseSecurity.php index ba7567f..9e27c71 100644 --- a/framework/helpers/BaseSecurity.php +++ b/framework/helpers/BaseSecurity.php @@ -336,13 +336,10 @@ class BaseSecurity } // Get 20 * 8bits of pseudo-random entropy from mt_rand(). - $rand = ''; - for ($i = 0; $i < 20; ++$i) { - $rand .= chr(mt_rand(0, 255)); - } + $rand = openssl_random_pseudo_bytes(20); // Add the microtime for a little more entropy. - $rand .= microtime(); + $rand .= microtime(true); // Mix the bits cryptographically into a 20-byte binary string. $rand = sha1($rand, true); // Form the prefix that specifies Blowfish algorithm and cost parameter.