[rt-devel] [Rt-commit] rt branch, 4.2/bcrypt-passwords, created. rt-4.1.19-109-g501c2fb
reed at reedloden.com
Wed Sep 4 14:54:41 EDT 2013
Sorry for missing this initially, but I think it's important enough to
bring it up.
> + # Generate a random 16-octet base64 salt
> + $salt = "";
> + $salt .= pack("C", int rand(256)) for 1..16;
rand() is *not* cryptographically secure, and you should not be
relying on it for salt generation. If RT doesn't already have some
method of securing generating randomness, there are plenty of
third-party CPAN modules that you can use.
More information about the rt-devel