Use of a Broken or Risky Cryptographic Algorithm in x360ce/x360ce
Jan 26th 2022
The password-generation algorithm used in the function
NewPassword() simply adds bias to the output password instead of making it easier to remember.
Proof of Concept
- Use the
NewPassword()function a large amount of times and store the output.
- Look at the frequency of each character on a distribution graph.
This vulnerability is capable of cutting down the amount of brute-force attempts an attacker needs to try as the likelihood of each character being one of a given user's password is higher for some than others.
Thank you for reporting this issue. I will check for more secure random function and increase password length.
No problem, I've submitted a patch for this issue - if it looks good and the character-set looks appropriate could you approve the report on here and merge the patch to the main branch? The password length has been changed to 12-32 characters and a standard CSPRNG has been implemented!