- WoltLab Suite Forum
In PasswordUtil::getRandomSalt() and MathUtil::getRandomValue() you use mt_rand() to generate pseudo-random integers.
As noted in the documentation:
This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.
The openssl_random_pseudo_bytes() documentation includes numerous examples on how to create a secure replacement for (integer) rand().
So unless I am missing something I suggest using it. Since you even went to all the trouble of impelemting a slow equals function this seems like an odd place to stop.
The PasswordUtil::getRandomPassword() appears odd as well.
You use an array of character classes (upper case, lower case, numbers and
special chars) and cycle through these for selecting characters. This
ensures that characters from each class will be present, however it also
reduces the overall entropy of the generated password. From a
cryptographic point of view this approach is simply counterproductive.
(Even the cycling part looks weird:
$type = ($i % 4 == 0) ? 0 : ($type + 1);
$type = $i % 4;)