Yes, this is an HP Fortify bug!
Random foo = new Random();
int bar = foo.Next(42);
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/javascript/insecure_randomness.html is a write up on why it rotten for random password generation stuff. I found http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx online which suggests using Membership.GeneratePassword to beat the problem. The example in the link is:
string password = Membership.GeneratePassword(12, 1);
12 is the length and 1 is the MINIMUM number of characters that are not alphanumeric.
No comments:
Post a Comment