Fork me on GitHub
Subscribe 3

Ticket #1092 (open enhancement)

random_key() has modulo bias

  • Created: 2016-08-19 10:17:46
  • Reported by: Samas
  • Assigned to: None
  • Milestone: 1.6
  • Component: security
  • Priority: low

The function random_key has a modulo bias, when $readable is true.

"That function is biased in the case where $readable is true, since it's using a random integer in the range [0,256] to select a random integer in the range [0, 62] using % 62, so the result is that A,B,C,D,E,F,G,H are 20% more likely to be chosen than the rest of the letters. They could fix it by adding 2 more characters to $chars so that its total length is 64 (if it's length divides 256 then it's okay)." (Taylor Hornby (DefuseSec))

What about adding '-' and '_' to $chars so the length becomes 64? It should not cause problems with URLs.


Franz 2016-08-29 09:11:25

  • Milestone set to 1.5.11.

Thanks for the report, we will look into it.

Franz 2018-07-17 22:24:31

  • Status changed from open to wontfix.

Not worth the effort. We will use proper PHP core functions soon.

Thanks for the report, nonetheless!

Visman 2018-07-20 09:44:13

We will use proper PHP core functions soon.

Does not come to mind any function from php, which would generate a readable password.

Franz 2018-07-21 21:19:39

We can use random_bytes() and bin2hex().

Franz 2018-07-21 21:24:02

...or something more like this if the full Latin alphanumeric range is important to us.

Visman 2018-07-22 03:51:12

The same, only at a different angle.
And only php 7+.

Franz 2018-07-22 06:28:23

  • Milestone changed from 1.5.11 to 1.6.
  • Status changed from wontfix to open.

What do you mean by "same"? The modulo bias? I don't see how.

As for PHP 7, we will use the paragonie library as a fallback.

Visman 2018-07-22 06:48:02

In php, there is no function that would give a readable password with a wide range of characters.
It's easier to add two characters to the current function set than to take a new bike … #L283-L302

Functions of generation of a random series of bytes in both cases all the same same are used.