Talk:Insecure Randomness

Jump to: navigation, search

The example isn't very wel chosen in my opinion: a better PRNG (e.g. SecureRandom for Java) doesn't really help in this example since the seed can be pretty easily guessed. It exposes other vulnerabilities such as a timing attack when a second request is done within the same millisecond.

As a control I'd suggest mentioning that you should create a PRNG only once and reuse it instead of creating a new one each time. Or maybe that's another vulnerability...