[GH-ISSUE #24] Generated secret key isn't cryptographically secure #247

New issue

Closed

opened 2026-03-01 17:48:36 +03:00 by kerem · 4 comments

kerem commented 2026-03-01 17:48:36 +03:00

Owner

Copy link

Originally created by @aik099 on GitHub (Mar 11, 2016).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/24

The Google2FA::generateSecretKey method internally uses Google2FA::getRandomNumber, which uses mt_rand function. According to its documentation (see http://php.net/mt_rand) it should not be used in security-related contexts.

Since current usage exactly qualifies as security related context I'm proposing to:

1. use https://packagist.org/packages/paragonie/random_compat package to get random_int function, that was added only in PHP 7
2. use random_int instead of mt_rand

If you're interested I can send a PR.

Originally created by @aik099 on GitHub (Mar 11, 2016). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/24 The `Google2FA::generateSecretKey` method internally uses `Google2FA::getRandomNumber`, which uses `mt_rand` function. According to its documentation (see http://php.net/mt_rand) it should not be used in security-related contexts. Since current usage exactly qualifies as security related context I'm proposing to: 1. use https://packagist.org/packages/paragonie/random_compat package to get `random_int` function, that was added only in PHP 7 2. use `random_int` instead of `mt_rand` If you're interested I can send a PR.

kerem closed this issue 2026-03-01 17:48:36 +03:00

kerem commented 2026-03-01 17:48:37 +03:00

Author

Owner

Copy link

@base-zero commented on GitHub (May 9, 2016):

👍

<!-- gh-comment-id:217891491 --> @base-zero commented on GitHub (May 9, 2016): 👍

kerem commented 2026-03-01 17:48:37 +03:00

Author

Owner

Copy link

@overint commented on GitHub (Jun 1, 2016):

This should definitely be changed. @aik099 did you create a pull request?

<!-- gh-comment-id:222891998 --> @overint commented on GitHub (Jun 1, 2016): This should definitely be changed. @aik099 did you create a pull request?

kerem commented 2026-03-01 17:48:37 +03:00

Author

Owner

Copy link

@aik099 commented on GitHub (Jun 1, 2016):

I haven't yet. If you'd like I can create it this week.

<!-- gh-comment-id:222917480 --> @aik099 commented on GitHub (Jun 1, 2016): I haven't yet. If you'd like I can create it this week.

kerem commented 2026-03-01 17:48:37 +03:00

Author

Owner

Copy link

@aik099 commented on GitHub (Jun 1, 2016):

PR created and ready for review.

<!-- gh-comment-id:223043483 --> @aik099 commented on GitHub (Jun 1, 2016): PR created and ready for review.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

9.x

fix-coverage

bump-to-version-9

10.x

reformat-code

add-linting

reorder-imports

8.x

install-php-84

test-on-php84

github-actions

master

7.x

pspstan

revert-124-123-google2fa_fix

v9.0.0

v8.0.3

v8.0.2

v8.0.1

8.0.0

v7.0.0

v6.1.3

v6.1.0

v6.0.1

v6.0.0

v4.0.2

v4.0.1

v5.0.0

v4.0.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.0.1

v1.0.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.1.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/google2fa#247

No description provided.