Get the right order of salts generation

[sebastiaandegeus]

• random_int() php7 function
• wp salts api 1.1
• generate_password()

See:
wordpress/wp-admin/setup-config.php
https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/wp-safe-salt.php

[szepeviktor]

password_generate function

Did you mean wp_generate_password()?

BTW My function uses openssl_random_pseudo_bytes()

WP core: https://github.com/WordPress/WordPress/blob/master/wp-admin/setup-config.php#L285-L314

[sebastiaandegeus]

Yes sorry, that's what I meant.

In my opinion we should stick to the official WordPress code for generating any random string for salts. Unfortunately they haven't put this code into easily usable functions or a class or even a library so that makes it a bit more difficult to use.

See:
https://github.com/WordPress/WordPress/blob/master/wp-admin/setup-config.php#L285

It's a bit of a mess. It's in the middle of a script that outputs a bunch of stuff.
I'm not looking forward to duplicating that code and then be responsible for updating it when it changes in the WordPress core.

There is also this inside the WordPress core:
https://github.com/WordPress/WordPress/blob/dd6da701b286579819cd6aa518aa2d7018efd759/wp-includes/random_compat/random.php
That add backwards compatibility for php5.

The function you use is considered last resort:
"openssl_random_pseudo_bytes() (absolute last resort)"
https://github.com/WordPress/WordPress/blob/dd6da701b286579819cd6aa518aa2d7018efd759/wp-includes/random_compat/random.php#L68

I assume the 1.1 Salts API uses the best method for generating these random strings. So that would still be the safest and best way of generating the salts until the core developers decide to put that random_int code into something reusable.

[szepeviktor]

You may open a core ticket to move that piece of code into a function.