Skip Menu |
 

This queue is for tickets about the Crypt-GeneratePassword CPAN distribution.

Report information
The Basics
Id: 123302
Status: new
Priority: 0/
Queue: Crypt-GeneratePassword

People
Owner: Nobody in particular
Requestors: NEWELLC [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Should not use rand function out of the box
Download (untitled) / with headers
text/plain 483b
The warning 'The default implementation uses perl's rand(), which might not be appropriate for some sites.' is far too weak. Given a look at a single random number from rand it is possible to completely predict the state of rand and therefore what this module will generate out of the box from then on. The module should use a CSPRNG, not the rand function. Ideally this should be one of the OS provided CSPRNG's like /dev/urandom, the relevant syscall, or the Windows equivalent.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.