You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Looking for a native solution to create random strings, I stumbled upon the generate Password function today.
I've noticed that the "randomness" of the generated Password relies on mt_rand(), a "Pseudo-Random Number Generator". I guess this is a pice of code that has been active from the old php5 days. PRNG are considered to be a "weak" nowadays.
Basing a random number on a timestamp using srand() is also considered to be a potential problem.
source: core/model/modx/moduser.class.php, line 797
/**
* Returns a randomly generated password
*
* @param integer $length The length of the password
* @param array $options
* @return string The newly generated password
*/
public function generatePassword($length = null,array $options = array()) {
if ($length === null) {
$length = $this->xpdo->getOption('password_generated_length', null, 10, true);
}
$passwordMinimumLength = $this->xpdo->getOption('password_min_length', null, 8, true);
if ($length < $passwordMinimumLength) {
$length = $passwordMinimumLength;
}
$options = array_merge(array(
'allowable_characters' => 'abcdefghjkmnpqrstuvxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789',
'srand_seed_multiplier' => 1000000,
),$options);
$ps_len = strlen($options['allowable_characters']);
srand((double) microtime() * $options['srand_seed_multiplier']);
$pass = '';
for ($i = 0; $i < $length; $i++) {
$pass .= $options['allowable_characters'][mt_rand(0, $ps_len -1)];
}
return $pass;
}
Why is it needed?
Random passwords should be random by todays standards.
I'm aware that its very unlikely that the login mechanism might be compromised by this "vulnerabilty", but I like to point out that a modx developer might make use of this function to generate a "secure" and "random" strings for other purposes.
Suggested solution(s)
In php 7 "Cryptographically Secure Pseudo-Random NUMBER/STRING Generators" are available. These methods are considered to be "strong":
The random_bytes() function returns a binary string which may contain the \0 character. This can cause trouble in several common scenarios, such as storing this value in a database or including it as part of the URL. The solution is to hash the value returned by random_bytes() with a hashing function such as md5 or sha1.
SOURCE: https://symfony.com/doc/current/components/security/secure_tools.html
Discussion
How important are random strings/numbers?
Should modx provide them, or should developers create their own methods?
Are there more random number/string generators inside the core that should be reviewed?
Cheers patrick
The text was updated successfully, but these errors were encountered:
patrickatwsrn
changed the title
Use strong random number/string generators Password()
Use strong random number/string generators inside generatePassword()
Jun 17, 2021
Could it be possible at least to add some special chars in the allowable_characters? I mean here: $options = array_merge(array( 'allowable_characters' => 'abcdefghjkmnpqrstuvxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789', 'srand_seed_multiplier' => 1000000, ),$options);
I remember that some chars are not allowed by modx, but these seem to work:
Feature request
Summary
Looking for a native solution to create random strings, I stumbled upon the generate Password function today.
I've noticed that the "randomness" of the generated Password relies on mt_rand(), a "Pseudo-Random Number Generator". I guess this is a pice of code that has been active from the old php5 days. PRNG are considered to be a "weak" nowadays.
Basing a random number on a timestamp using srand() is also considered to be a potential problem.
Why is it needed?
Random passwords should be random by todays standards.
I'm aware that its very unlikely that the login mechanism might be compromised by this "vulnerabilty", but I like to point out that a modx developer might make use of this function to generate a "secure" and "random" strings for other purposes.
Suggested solution(s)
In php 7 "Cryptographically Secure Pseudo-Random NUMBER/STRING Generators" are available. These methods are considered to be "strong":
PHP 5.x polyfill for random_bytes() and random_int()
SIDENOTE:
Discussion
Cheers patrick
The text was updated successfully, but these errors were encountered: