On 26 February 2015 at 15:04, Tom Worster <f...@thefsb.org> wrote: >>I actually started down this RFC path out of frustration on this very >>point of needing secure random alphanumeric stings. The originally RFC & >>patch contained a `random_hex()` function that would convert bytes from >>the CSPRNG into hex. > > bin2hex(random_bytes(8)) is so easy i don't think a new shorthand > function is worth it.
I can't help but notice the output of this is 16 bytes. Please, please tell me that you don't use the output of bin2hex(random_bytes(8)) for a key or IV. This is so dangerous and I'm actually worried about how many people actually do this. Apologies if this is just a coincidence, but for the benefit of _anyone_ reading this, never ever ever (ever!), use an encoded value for a key or IV. Not hex, not base64, not anything exotic you've dreamed up to make things "more random". If you know a project doing this, spread the word, this is something that needs to be fixed through education. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
