|Subject:||Should not use rand function out of the box|
The warning 'The default implementation uses perl's rand(), which might not be appropriate for some sites.' is far too weak. Given a look at a single random number from rand it is possible to completely predict the state of rand and therefore what this module will generate out of the box from then on. The module should use a CSPRNG, not the rand function. Ideally this should be one of the OS provided CSPRNG's like /dev/urandom, the relevant syscall, or the Windows equivalent.