Merge pull request #14828 from tamasvajk/docs/insecure-randomness

C#: Update insecure randomness query description to match implementation
github · Nov 17, 2023 · 7c3122a · 7c3122a
2 parents 8a8031d + b2c8049
commit 7c3122a
Showing 1 changed file with 1 addition and 9 deletions.
diff --git a/csharp/ql/src/Security Features/InsecureRandomness.qhelp b/csharp/ql/src/Security Features/InsecureRandomness.qhelp
@@ -29,11 +29,6 @@ number generator. <code>Random</code> is not cryptographically secure, and shoul
 security contexts. For contexts which are not security sensitive, <code>Random</code> may be
 preferable as it has a more convenient interface, and is likely to be faster.
 </p>
-<p>
-For the specific use-case of generating passwords, consider
-<code>System.Web.Security.Membership.GeneratePassword</code>, which provides a cryptographically
-secure method of generating random passwords.
-</p>
 
 </recommendation>
 
@@ -54,10 +49,7 @@ purpose. In this case, it is much harder to predict the generated integers.
 </p>
 <p>
 In the final example, the password is generated using the <code>Membership.GeneratePassword</code>
-library method, which uses a cryptographically secure random number generator to generate a random
-series of characters. This method should be preferred when generating passwords, if possible, as it
-avoids potential pitfalls when converting the output of a random number generator (usually an int or
-a byte) to a series of permitted characters.
+library method, which generates a password with a bias, therefore should be avoided.
 </p>
 <sample src="InsecureRandomness.cs" />