Package: libauth-googleauth-perl Version: 1.02-1 Severity: important Tags: security
Hi, Auth::GoogleAuth uses the rand function to generate a 16-bytes secret key for TOTP authentication. Sadly, rand is a poor source of randomness and unsuitable for crypto-related uses. Following RFC6238's SHOULDs, Auth::GoogleAuth should use a CSPRNG like urandom as a source to generate the key, and possibly generate a 20-bytes key to follow a second SHOULD. Cheers, -- Raphael Geissert - Debian Developer www.debian.org