Password generator for public links uses pseudo-random number generator #10461
Description
Describe the bug
The password generator for public links is https://www.npmjs.com/package/js-generate-password, hosted on GitHub as https://github.com/ahmadjoya/generate-password-lite .
Unfortunately it uses only Math.random() to pick the characters and shuffle them around:
- https://github.com/ahmadjoya/generate-password-lite/blob/main/src/lib/shuffle-string.ts#L6
- https://github.com/ahmadjoya/generate-password-lite/blob/main/src/lib/generate-random-number.ts#L2
As Math.random() only generates pseudo-random numbers, at least in theory the number of passwords that library can generate for a given length and set of criteria is only a subset of what is theoretically possible, with the potential for the same password to be generated more than once.
Suggested fix
- use window.crypto.getRandomValues instead