CTO and co-founder of Signal Sciences. Author and speaker on software engineering, devops, and security.

Better Random Numbers in PHP using /dev/urandom

How Etsy fixed PHP to produce better and safer random numbers

First posted in the Code as Craft blog. Here’s the intro:

The design of PHP’s basic random number generators rand and it’s newer variant mt_rand is based off the C Standard Library. For better or worse, both use a single global state and this can be reset using stand (or mt_srand). This means anyone (a developer, a third party module, a library) could set the state to a fixed value and every random number following will be the same for every request. Sometimes this is the desired behavior but this can also have disastrous consequences. For instance, everyone’s password reset code could end up being the same.

Update 2018: I assume PHP has since fixed how the default random number generation is done, but if not, this technique should still work. When this article came out I got a lot of feedback on how I’m wrong and one should really use /dev/random. Be my guest, but don’t call me when your server locks up waiting for “entropy.”

security software php

© 2018 Nick Galbreath