Token generation may be vulnerable to Modulo Bias #779

New Issue

Closed

opened 2026-02-04 22:37:16 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-04 22:37:16 +03:00

Owner

Copy Link

Originally created by @zyuiop on GitHub (Aug 22, 2020).

Modulo Bias is an issue with random numbers generators where some numbers have a higher chance to be found than others. See an article about this bias and how to avoid it here: https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/

Here is the line where the bias arises:
eba22c2d94/src/crypto.rs (L67)

From what I saw in the code, this seems to be used (only?) for two factor authentication, so this may not be very problematic.

Originally created by @zyuiop on GitHub (Aug 22, 2020). Modulo Bias is an issue with random numbers generators where some numbers have a higher chance to be found than others. See an article about this bias and how to avoid it here: https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/ Here is the line where the bias arises: https://github.com/dani-garcia/bitwarden_rs/blob/eba22c2d9429b9f9bad5baff9b1d571b469645c9/src/crypto.rs#L67 From what I saw in the code, this seems to be used (only?) for two factor authentication, so this may not be very problematic.

OVERLORD closed this issue 2026-02-04 22:37:21 +03:00

OVERLORD commented 2026-02-04 22:37:26 +03:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Aug 22, 2020):

This shouldn't be a problem in practice as long as users don't configure the token generation to be over 16 or so:
For example using a 16 digit length, the numbers at the start would have 1844 chances to appear (2^64 / 10^16), while the ones at the end would have 1855 which is basically close enough to random for this case I think.

But yeah using the max of 19 would give the first numbers in the range 50% more chance to appear, so I think we should at the very list make the limit lower.

@dani-garcia commented on GitHub (Aug 22, 2020): This shouldn't be a problem in practice as long as users don't configure the token generation to be over 16 or so: For example using a 16 digit length, the numbers at the start would have 1844 chances to appear (2^64 / 10^16), while the ones at the end would have 1855 which is basically close enough to random for this case I think. But yeah using the max of 19 would give the first numbers in the range 50% more chance to appear, so I think we should at the very list make the limit lower.

OVERLORD referenced this issue 2026-02-05 04:56:15 +03:00

[PR #779] [MERGED] Add Github build Action #2769

OVERLORD referenced this issue 2026-02-05 04:56:36 +03:00

[PR #804] [MERGED] Improve Github Actions Workflow #2776

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#779