You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Jesse van Bekkum (JIRA)" <ji...@apache.org> on 2013/05/28 14:25:19 UTC

[jira] [Created] (SYNCOPE-374) SyncopeUser tokens do not use secure random strings

Jesse van Bekkum created SYNCOPE-374:
----------------------------------------

             Summary: SyncopeUser tokens do not use secure random strings
                 Key: SYNCOPE-374
                 URL: https://issues.apache.org/jira/browse/SYNCOPE-374
             Project: Syncope
          Issue Type: Improvement
          Components: core
    Affects Versions: 1.1.1
            Reporter: Jesse van Bekkum
            Priority: Minor


The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.

This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
It also lists some solutions.

It is more secure to use a cryptographically secure string, as explained here: 
http://commons.apache.org/proper/commons-math/userguide/random.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira