I was reading through the Shibboleth code and found this in auth/shibboleth/index.php near line 37

/// If we can find the Shibboleth attribute, save it in session and return to main login page

    if (!empty($_SERVER[$pluginconfig->user_attribute])) {    // Shibboleth auto-login

        $frm = new stdClass();

        $frm->username = strtolower($_SERVER[$pluginconfig->user_attribute]);

        $frm->password = substr(base64_encode($_SERVER[$pluginconfig->user_attribute]),0,8);

        // The random password consists of the first 8 letters of the base 64 encoded user ID

        // This password is never used unless the user account is converted to manual

The problem is that I don't believe Base64 is random at all and for short usernames could yield extremely short passwords. For instance the first 8 characters of the username 'ted' are 'dGVk'.

I am certainly no security expert but if a site for whatever reason decided to stop using Shibboleth anyone could stick a bunch of known usernames through Base64 and easily have the first 8 characters.

It seems like a bunch of randomized garbage characters would be a better idea to use. I really hope I am missing something here.