[Tickets #8425] Poor salt generation for crypt-*
bugs at horde.org
bugs at horde.org
Fri Jul 10 05:50:12 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/8425
------------------------------------------------------------------------------
Ticket | 8425
Created By | lowzl at hotmail.com
Summary | Poor salt generation for crypt-*
Queue | Horde Framework Packages
Version | FRAMEWORK_3
Type | Bug
State | Unconfirmed
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
lowzl at hotmail.com (2009-07-10 01:50) wrote:
In lib/Horde/Auth.php, the function getSalt uses a poor algorithm for
generating salts for crypt-*. crypt allows, at the very least, all
Base64 characters in the salt, but the current algorithm only
generates hexadecimal digits. Furthermore, for crypt-md5, 8 bytes of
salt is permitted, so there are 64^8 = 2^48 possible salt values (if
we only allow Base64 characters), but on most systems, mt_rand() only
generates 2^31 different values, so the current algorithm generates at
most 2^31 different salt values.
A better algorithm would use, for example,
base64_encode(md5(sprintf('%08X%08X', mt_rand(), mt_rand()), TRUE))
instead of just md5(mt_rand()).
More information about the bugs
mailing list