Use only crypto/rand for token generation.

Question

Use only crypto/rand for token generation.

justinas opened this issue 11 years ago · 1 comments

math/rand is cryptographically insecure and thus isn't suitable for token generation. We should switch to only using crypto/rand.

This should be an easy, non-breaking change.

Answer 1 · 2013-08-26T15:38:37.000Z

The new token algorithm is up on master. It utilizes crypto/rand, acquiring 32 bytes from it and encoding them in base64. SHA256 has been removed out of the equation, as it's usefulness in this is questionable.