Feature Proposal: Add a function to generate a cryptographically secure random string


Currently we use perl's rand() function to generate strings where needed. It's used in several places in core, including password salt, registration tokens, etc. This is not aligned with best practices. Rather than implement a string generator in multiple places, add it to Foswiki.pm

It might be useful to expose this in Foswiki::Func. However as the source of entropy for strong random strings is limited, it might be best to reserve it for use where truly required.

Description and Documentation

Add Foswiki::randomString( length, from-characters). It would use CPAN:Bytes::Random::Secure to return a string of the requested length. If the dependency is missing, it falls back to the original Foswiki/TWiki algorithm.

Use this function anywhere random strings are required including
  • password salt
  • registration token
  • validation token
  • request cache



It's possible to deplete system entropy if re-seeded too frequently. The default is to use dev/urandom on *nix systems to avoid blocking on insufficient entropy. The code should load on demand to minimize seeding the RNG when not required.



-- Contributors: GeorgeClark - 30 Sep 2017


Changes are all checked into the Item14506 branch. Awaiting merge.

-- GeorgeClark - 05 Dec 2017
Topic revision: r5 - 06 Feb 2018, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy