In Depth: "Password Generator" Security Audit
[InDepth#12] In November 2022, Steve McDougall published a tutorial called "Creating a Password Generator"... we're going to audit his code!
Greetings friends! It feels like forever since I last wrote a proper In Depth, and to be fair the last one was back in August1. š² So to make up for it, I have a real treat for you today: in November 2022 Steve McDougall published a tutorial called "Creating a Password Generator" on Laravel News, and today we're going to audit his code! š„·
Two quick updates before we dive into it:
The second Practical Laravel Security module was published a few days ago, Escaping Output, and Iāve added a Payment Plan as a billing option. Here are the details.
If youāre heading to Laracon EU, Iāll be speaking on the Friday afternoon!
š” Ensure your apps are secure, book in a Laravel Security Audit and Penetration Test! šµļø
Looking to learn more?
ā© Security Tip #16: Open Redirects
ā¶ļø In Depth #6: Timing Attacks
"Password Generator" Security Audit
On November 25th 2022, Steve McDougall published a tutorial on Laravel News entitled āCreating a Password Generatorā. As you can imagine, this immediately caught my eye and I had to check it out, and I found a few concerning thingsā¦
Now, itās worth pointing out before we get started that this is tutorial code, designed as a simple example to educate developers about building packages, and for discussing the different structures in use. It also includes the following disclaimer on the post and repository:
Disclaimer. This is not intended for use in a production environment to create your passwords. My use case for this is to actually generate one off use codes such as One Time Pass Codes. This is not the most secure as the list of words is quite small, and will leave you open to a potential dictionary attack.
I reached out and had a good chat to Steve about it, and with his permission, weāre going to conduct a security audit on the tutorial code! The tutorial was supposed to be educational, and weāre putting it to good use, learning more about security and how this package could have been built in a much more secure fashion.
If youāve got time, go have a read the tutorial and/or the GitHub package, but itās not required to understand this article. Weāll be working down in the order of the tutorial, and Iāll be quoting the relevant bits here for you. Letās get started!
Defining the Generator Interface
The tutorial starts out by outlining the generator contract like so:
interface GeneratorContract
{
public function generate(): string;
public function generateSecure(): string;
}
Which are required to return what the tutorial calls a āmemorableā or āsecureā password. These methods are supposed to return passwords in the following formats:
flying-fish-swimming-lizard - "memorable"
fly1ng-f1sh-sw1mm1ng-l1z4rd - "secure"
This in my opinion is the first mis-step of the tutorial. I like the use of the term āmemorableā for the basic password, it clearly explains itās use and security level (or lack thereof) but calling the second password "secure" sets high expectations for itās use, when no real level of security has been added2, and developers who donāt understand the context will often make the wrong assumptions based off naming.
Keep reading with a 7-day free trial
Subscribe to Laravel Security In Depth to keep reading this post and get 7 days of free access to the full post archives.