Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Generate new passwords in a secure way
Previously, lost passwords were generated via org.apache.commons.lang.RandomStringUtils, which is using java.util.Random internally. This PRNG is has a 48-bit seed, that can easily be bruteforced if an attacker is able to get the PRNG's output, for example but resetting their own account multiple times, leading to trivial privileges escalation attacks. This commit makes use of java.security.SecureRandom instead.
- Loading branch information
Showing with 12 additions and 2 deletions.