News Feed

News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way
php_mt_seed went beyond PoC (mt_rand seed cracker)
November 05, 2013 @ 12:49:12

As has reported, a flaw has been found in PHP's mt_rand functionality that allows the prediction of the result with just some of the other results.

With the functionality added in October, our php_mt_seed PHP mt_rand() seed cracker is no longer just a proof-of-concept, but is a tool that may actually be useful, such as for penetration testing. It is now a maintained project with its own homepage:

They include a bit of illustration code showing how the see cracker works - generating 10 "random" numbers between 0 and 9. An example of running the "php_mt_seed" command against these values is shown along with the time to crack (just under 20 seconds). There's also an example of cracking when you don't know all 10 numbers in the sequence too. This further reinforces the best practice of not using mt_rand when you need strong random numbers for the security related functionality of your application (something like openssl_random_pseudo_bytes is a much better option).

0 comments voice your opinion now!
mtrand seed cracker proofofconcept poc openwall


blog comments powered by Disqus

Similar Posts

Jonathan Street's Blog: Random thoughts on random strings

Suspekt Blog: mt_srand and not so random numbers

SitePoint PHP Blog: Build a Database with Eloquent, Faker and Flysystem

Leaseweb Labs Blog: POC: Flexible PHP Output Caching php_mt_seed went beyond PoC (mt_rand seed cracker)

Community Events

Don't see your event here?
Let us know!

laravel5 laravel api framework example interview version unittest voicesoftheelephpant opinion series podcast list release video community php7 introduction language library

All content copyright, 2015 :: - Powered by the Solar PHP Framework