Contrib.social

OTP code is not truly random

Open on Drupal.org โ†’
Created on 16 June 2025, 11 days ago

Problem/Motivation

This module uses mt_rand() to generate the OTP code.
This function is not truly random and uses a known algorithm based on a seed.
The PHP doc says:

This function does not generate cryptographically secure values, and must not be used for cryptographic purposes, or purposes that require returned values to be unguessable.

Steps to reproduce

Proposed resolution

The random_int() function should probably be used instead.

Remaining tasks

User interface changes

API changes

Data model changes

๐Ÿ› Bug report
Status

Active

Version

2.0

Component

Code

Created by

๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024