Ticket #1092 (open enhancement)
random_key() has modulo bias
- Created: 2016-08-19 10:17:46
- Reported by: Samas
- Assigned to: None
- Milestone: 1.6
- Component: security
- Priority: low
The function random_key has a modulo bias, when $readable is true.
"That function is biased in the case where $readable is true, since it's using a random integer in the range [0,256] to select a random integer in the range [0, 62] using % 62, so the result is that A,B,C,D,E,F,G,H are 20% more likely to be chosen than the rest of the letters. They could fix it by adding 2 more characters to $chars so that its total length is 64 (if it's length divides 256 then it's okay)." (Taylor Hornby (DefuseSec))
What about adding '-' and '_' to $chars so the length becomes 64? It should not cause problems with URLs.
Franz 2016-08-29 09:11:25
- Milestone set to 1.5.11.
Thanks for the report, we will look into it.
Franz 2018-07-17 22:24:31
- Status changed from open to wontfix.
Not worth the effort. We will use proper PHP core functions soon.
Thanks for the report, nonetheless!
Visman 2018-07-20 09:44:13
We will use proper PHP core functions soon.
Does not come to mind any function from php, which would generate a readable password.
Franz 2018-07-21 21:19:39
We can use random_bytes() and bin2hex().
Franz 2018-07-21 21:24:02
...or something more like this if the full Latin alphanumeric range is important to us.
Visman 2018-07-22 03:51:12
The same, only at a different angle.
And only php 7+.
Franz 2018-07-22 06:28:23
- Milestone changed from 1.5.11 to 1.6.
- Status changed from wontfix to open.
What do you mean by "same"? The modulo bias? I don't see how.
As for PHP 7, we will use the paragonie library as a fallback.
Visman 2018-07-22 06:48:02
In php, there is no function that would give a readable password with a wide range of characters.
It's easier to add two characters to the current function set than to take a new bike https://github.com/laravel/framework/bl … #L283-L302
Functions of generation of a random series of bytes in both cases all the same same are used.