This repository has been archived by the owner on Sep 8, 2021. It is now read-only.
Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Generate new passwords in a secure way
Previously, lost passwords were generated via org.apache.commons.lang.RandomStringUtils, which is using java.util.Random internally. This PRNG is has a 48-bit seed, that can easily be bruteforced if an attacker is able to get the PRNG's output, for example but resetting their own account multiple times, leading to trivial privileges escalation attacks. This commit makes use of java.security.SecureRandom instead.
- Loading branch information