2 files changed, 8 insertions, 1 deletions

diff --git a/lib/private/security/crypto.php b/lib/private/security/crypto.php
index 34f0d4e617d..6fdff8d92a2 100644
--- a/lib/private/security/crypto.php
+++ b/lib/private/security/crypto.php
@@ -52,6 +52,9 @@ class Crypto implements ICrypto {
 			$password = $this->config->getSystemValue('secret');
 		}
 
+		// Append an "a" behind the password and hash it to prevent reusing the same password as for encryption
+		$password = hash('sha512', $password . 'a');
+
 		$hash = new Crypt_Hash('sha512');
 		$hash->setKey($password);
 		return $hash->hash($message);
diff --git a/lib/private/security/stringutils.php b/lib/private/security/stringutils.php
index 32dff50fa8b..33a3a708012 100644
--- a/lib/private/security/stringutils.php
+++ b/lib/private/security/stringutils.php
@@ -15,6 +15,10 @@ class StringUtils {
 	 * length this is done by comparing two hashes against each other and afterwards
 	 * a comparison of the real string to prevent against the unlikely chance of
 	 * collisions.
+	 *
+	 * Be aware that this function may leak whether the string to compare have a different
+	 * length.
+	 *
 	 * @param string $expected The expected value
 	 * @param string $input The input to compare against
 	 * @return bool True if the two strings are equal, otherwise false.
@@ -25,7 +29,7 @@ class StringUtils {
 			return hash_equals($expected, $input);
 		}
 
-		$randomString = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
+		$randomString = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(10);
 
 		if(hash('sha512', $expected.$randomString) === hash('sha512', $input.$randomString)) {
 			if($expected === $input) {