4 comments

[ 3.4 ms ] story [ 20.2 ms ] thread
(comment deleted)
I'm not sure if I understand the significance of this post. Is PHP's implementation of the Mersenne twister more insecure than others? MT was never meant to be a secure PRNG, this is mentioned everywhere, usually in bold.
While nobody in their right mind would ever use it as a secure PRNG, who knows how often it's being used to generate randomness in a place where being able to predict the randomness would open up a non-cryptographic security vulnerability.
Yeah, this doesn't look PHP-specific, except that I keep seeing mt_rand being used in places where cryptographically-secure randomness is really called for (sometimes because there isn't a good alternative, sometimes because people mistakenly think they don't need secure randomness).