+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=31)
+--- Thread: Deprecate random_string basic/md5/sha1 (/showthread.php?tid=87026)
Pages:
1
2
Deprecate random_string basic/md5/sha1 - kenjis - 03-06-2023
Is anyone using the following types of random_string()?
Quote:basic: A random number based on mt_rand() (length ignored).
md5: An encrypted random number based on md5() (fixed length of 32).
sha1: An encrypted random number based on sha1() (fixed length of 40).
https://codeigniter4.github.io/CodeIgniter4/helpers/text_helper.html#random_string
As you know, these values are cryptographically insecure.
I personally do not understand the use case.
I suggest that they be deprecated.
RE: Deprecate random_string basic/md5/sha1 - InsiteFX - 03-06-2023
No, I quit using them a while back because like you say they are insecure.
RE: Deprecate random_string basic/md5/sha1 - ozornick - 03-08-2023
I use "crypto" and "alnum" for generate tokens string. Just random string (w/o security context)
RE: Deprecate random_string basic/md5/sha1 - kenjis - 03-09-2023
crypto is secure. alnum is not secure now, but I'm going to make it secure.
RE: Deprecate random_string basic/md5/sha1 - superior - 03-09-2023
In the past i've used this for generating hash to compare with payments.
Now using the hash_hmac() and hash_equals() for that, so the above is not being used by me anymore.
RE: Deprecate random_string basic/md5/sha1 - tgix - 03-09-2023
+1 for alnum, but we are migrating towards ULID
RE: Deprecate random_string basic/md5/sha1 - kenjis - 03-09-2023
(03-09-2023, 02:44 AM)tgix Wrote: +1 for alnum, but we are migrating towards ULID
What do you mean by +1 for alnum?
My proposal is to make basic/md5/sha1 deprecated.
RE: Deprecate random_string basic/md5/sha1 - tgix - 03-09-2023
(03-09-2023, 02:49 AM)kenjis Wrote:(03-09-2023, 02:44 AM)tgix Wrote: +1 for alnum, but we are migrating towards ULID
What do you mean by +1 for alnum?
My proposal is to make basic/md5/sha1 deprecated.
OK, I quickly read it as deprecating random_string().
RE: Deprecate random_string basic/md5/sha1 - MahishTanzon - 03-17-2023
It is important to note that using the basic, md5, and sha1 methods of random_string() may not be secure as they are not cryptographically secure.
While there may be some use cases for these methods, it is recommended to use more secure methods for generating random strings, such as the OpenSSL library.
Considering the potential security risks associated with using these methods, it may be a good idea to deprecate them and encourage the use of more secure options.
RE: Deprecate random_string basic/md5/sha1 - kenjis - 03-17-2023
Updated the docs:
https://codeigniter4.github.io/CodeIgniter4/helpers/text_helper.html#random_string