On 19 October 2015 at 16:22, Tom Worster <f...@thefsb.org> wrote: > On 10/18/15 7:39 PM, Ángel González wrote: > >> Korvin wrote: >> >>> +1 for 7.0.x security patch release, best effort sounds scary. >>> >> This is a salt. It doesn't need to be cryptographically secure. Using >> php_rand() >> there should pose no problem. >> I would actually include that into the patch (move old lines 154-156 >> into the >> FAILURE if). >> > > A password salt needs to be unique. It does not need to be drawn from a > CSPRNG but that is one of the few ways we can be reasonably confident of > uniqueness (since, as usual, we assume the platform RNG is properly seeded). >
A password salt should not be predictable, allowing a salt to potentially become predictable is a bad idea. Solution is to use a CSPRNG for generation of salts.
