|
|
|
|
|
|
by robbya
2347 days ago
|
|
|
> Most any language's built in psuedorandom number generator is going to be sufficiently random that you will have no trouble. I once collected a $3k bug bounty over this. Python's use of Mersenne Twister in the lib/random module should not be used for token generation. Mersenne twister uses a relatively small state space and is fully deterministic (it never re-seeds or mixes in new entropy). If you get a couple sequential random values you can reconstruct that state space and predict all future values. I.E. request a password reset 10x in a row and examine the tokens in the emails. Please only use secure random number generators when creating security related tokens. Example blog post:
https://know.bishopfox.com/blog/2014/08/untwisting-mersenne-... |
|
|
Edit: never mind, your article named it as a good choice