[rt-devel] [Rt-commit] rt branch, 4.2/bcrypt-passwords, created. rt-4.1.19-109-g501c2fb

[Reed Loden]

Sorry for missing this initially, but I think it's important enough to
bring it up.

> +        # Generate a random 16-octet base64 salt
> +        $salt = "";
> +        $salt .= pack("C", int rand(256)) for 1..16;

rand() is *not* cryptographically secure[0], and you should not be
relying on it for salt generation. If RT doesn't already have some
method of securing generating randomness, there are plenty of
third-party CPAN modules that you can use.

~reed

[0] http://perldoc.perl.org/functions/rand.html