PHP RFC: Remove MCRYPT_RAND (Formerly: Deprecate MCRYPT_RAND)


MCRYPT_RAND should removed from PHP 7.0 so that developers are discouraged from using it in production systems or in frameworks used by other developers. MCRYPT_RAND is a constant that instructs mcrypt_create_iv() to use a non-cryptographically-secure entropy source. While IVs do not have the same secrecy requirements as a private key, they should be unpredictable. Using MCRYPT_RAND is therefore unsuitable for cryptographic applications.


The following changes should be made:

  • MCRYPT_RAND should be removed as of PHP 7.0.
  • With MCRYPT_RAND gone, mcrypt_create_iv() should transparently fall back to the default (currently MCRYPT_DEV_URANDOM)

Backward Incompatible Changes

The MCRYPT_RAND constant will be removed, and support for it will also be removed.

Proposed PHP Version(s)

This proposal should be considered for the PHP 7.0.

Proposed Voting Choices

Include these so readers know where you are heading and can discuss the proposed voting options.

State whether this project requires a 2/3 or 50%+1 majority (see voting)

Patches and Tests

The patch (and a relevant discussion) is already on GitHub


rfc/deprecate_mcrypt_rand.txt · Last modified: 2017/09/22 13:28 by