You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Massimiliano Perrone (JIRA)" <ji...@apache.org> on 2013/05/28 15:43:20 UTC

[jira] [Closed] (SYNCOPE-374) SyncopeUser tokens do not use secure random strings

     [ https://issues.apache.org/jira/browse/SYNCOPE-374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Massimiliano Perrone closed SYNCOPE-374.
----------------------------------------

    
> SyncopeUser tokens do not use secure random strings
> ---------------------------------------------------
>
>                 Key: SYNCOPE-374
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-374
>             Project: Syncope
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.1.1
>            Reporter: Jesse van Bekkum
>            Assignee: Massimiliano Perrone
>            Priority: Minor
>             Fix For: 1.1.2, 1.2.0
>
>
> The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.
> This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
> It also lists some solutions.
> It is more secure to use a cryptographically secure string, as explained here: 
> http://commons.apache.org/proper/commons-math/userguide/random.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira