Password Generation

[random1]

I need to add a human-readable password generator similar to:

 

http://www.anyexample.com/programming/php/php__password_generation.xml

 

to my site. This is not good enough since the generation is not readable enough.

 

The passwords will be used for password reset and temporary use for users.

 

Any ideas?

[Grayda]

So you're after a password generator that will output a password that LOOKS like an English word but isn't?

 

I'd be wary of doing that, given that if you follow basic English rules, they will be easy to crack. The best method is to create a really random password that (ideally) includes letters, numbers and symbols, and is of a decent length. I've got a function prepared that will do just that and is easy to configure depending on what your password requirements are.

 

But if you are really determined to have English-looking words, I have links to several large dictionaries that you can pluck words from and mash them up, but again, I wouldn't recommend it, given that most password cracking software could get your password in a short amount of time

 

So, let us know exactly what you're after so we can give you a better answer

[Batosi]

Hmm yea I agree you dont want to use words just random letters numbers

<?php
$pass = '';
$ar = str_split('abcdefghijklmnopqrstuvwxyz123456789');
for ($i=0;$i<9;$i++)
{
$pass .= $ar[array_rand($ar)];
}
?>

Probably not the best thing to use but it gives you the idea.

[chokies12]

passwords should be encrypted so the main idea is generate and email and temporary code then a link. upon click the link $_GET the temporary code which you include in the url then if verified in the database show a change password form for much tighter security

[Daniel0]

The best method is to create a really random password

 

If you can do that, I think NSA has a job for you. A computer is a deterministic device. Otherwise I'm afraid we'll have to do with pseudo random instead of really random.

[waynew]

$pass = rand(0,9).rand(0,9).rand(0,9).rand(0,9).rand(0,9).rand(0,9);

//send $pass to user via email

//encrypt pass and insert into password field
$pass = sha1($pass); //or use whatever encryption method you're using for password checking
//insert into password field

 

 

[Grayda]

If you can do that, I think NSA has a job for you. A computer is a deterministic device. Otherwise I'm afraid we'll have to do with pseudo random instead of really random.

 

Well, by really random, I meant, more random than English letters

Here's the code I have, taken from my latest project. Does an alright job of generating passwords, but this is only one step in a secure password scheme:

 

<?php

/**
 * Password security. These optiona are to be used for toggling or enforcing password strength. To use effectively, you need to bitmasks.
*/
define("passEnforceMinimum", 1); # Should user::registerUser enforce a minimum password length?
define("passRequireAlpha", 2); # Do we need to have letters in the password?
define("passRequireNumbers", 4); # Do we need to have number(s) in the password?
define("passRequireSymbol", ; # Do we require non alphanumeric characters in the password?

define("passRequirements", passRequireAlpha | passRequireNumbers | passRequireSymbols); # Our passwords require: letters, numbers and symbols

/**
 * generatePassword creates a random password for you
 *
 * This function takes no parameters, instead it uses the password requirements (passRequirements) to determine what the password needs.
 * If you have passRequireAlpha set, your password will contain letters. If you have passRequireAlpha and passRequireNumbers, your password
 * will contain letters and numbers, and so forth.
 * Minimum password length is determined by passMinimumLength (which by default, is 
 *
 * @return	string	String containing your password
*/		
function generatePassword() {

	if(passRequireAlpha & passRequirements) { # If we require letters in our password
		for($i = 0; $i <= passMinimumLength - 1; $i++) { # Loop passMinimumLength times to ensure a nice random mix
			$pass[] = chr(rand(65, 90)); # Generate random uppercase letters one at a time and put them into an array for shuffling
			$pass[] = chr(rand(97, 122)); # Generate random lowercase letters
		}
	}

	if(passRequireNumbers & passRequirements) { # Same as above, but only for numbers
		for($i = 0; $i <= passMinimumLength - 1; $i++) {
			$pass[] = chr(rand(48, 57)); # 48-57 on the ASCII table is 0-9
		}
	}

	if(passRequireSymbol & passRequirements) { # Symbols!
		for($i = 0; $i <= passMinimumLength - 1; $i++) {
			$pass[] = chr(rand(33, 47)); 
			$pass[] = chr(rand(58, 64)); 
			$pass[] = chr(rand(91, 95)); 
			$pass[] = chr(rand(123, 126)); 
		}
	}

	shuffle($pass); # Finally, shuffle our array to mix it up
	$pass = implode("", $pass); # Glue the array together with no delimiter
	$pass = substr($pass, 0, passMinimumLength); # Then trim off all but passMinimumLength letters
	return $pass; # We're done!

}

?>

 

It's still in it's infancy and could be a LOT faster, but it works well enough. I can generate a few thousand passwords in a few seconds. Just paste it in and call $myPass = generatePassword(); to get a nice, pseudo-random password

 

If this is what you're after, mind you!

[tartis]

I found this code on the web a few weeks ago, and it creates a readable password.  I would then insert it using encryption.

 

//password generator
function ae_gen_password($syllables = 3, $use_prefix = false)
{

    // Define function unless it is already exists
    if (!function_exists('ae_arr'))
    {
        // This function returns random array element
        function ae_arr(&$arr)
        {
            return $arr[rand(0, sizeof($arr)-1)];
        }
    }

    // 20 prefixes
    $prefix = array('aero', 'anti', 'auto', 'bi', 'bio',
                    'cine', 'deca', 'demo', 'dyna', 'eco',
                    'ergo', 'geo', 'gyno', 'hypo', 'kilo',
                    'mega', 'tera', 'mini', 'nano', 'duo');

    // 10 random suffixes
    $suffix = array('dom', 'ity', 'ment', 'sion', 'ness',
                    'ence', 'er', 'ist', 'tion', 'or'); 

    // 8 vowel sounds 
    $vowels = array('a', 'o', 'e', 'i', 'y', 'u', 'ou', 'oo'); 

    // 20 random consonants 
    $consonants = array('w', 'r', 't', 'p', 's', 'd', 'f', 'g', 'h', 'j', 
                        'k', 'l', 'z', 'x', 'c', 'v', 'b', 'n', 'm', 'qu');

    $password = $use_prefix?ae_arr($prefix):'';
    $password_suffix = ae_arr($suffix);

    for($i=0; $i<$syllables; $i++)
    {
        // selecting random consonant
        $doubles = array('n', 'm', 't', 's');
        $c = ae_arr($consonants);
        if (in_array($c, $doubles)&&($i!=0)) { // maybe double it
            if (rand(0, 2) == 1) // 33% probability
                $c .= $c;
        }
        $password .= $c;
        //

        // selecting random vowel
        $password .= ae_arr($vowels);

        if ($i == $syllables - 1) // if suffix begin with vovel
            if (in_array($password_suffix[0], $vowels)) // add one more consonant 
                $password .= ae_arr($consonants);

    }

    // selecting random suffix
    $password .= $password_suffix;

    return $password;
}
$password = ae_gen_password(3, false);
//end password

[Grayda]

I found this code on the web a few weeks ago, and it creates a readable password.  I would then insert it using encryption.

 

Just keep in mind that encryption is a good measure against people opening up your database and extracting the passwords from the table, but doesn't help much against brute-force attacks via your site

 

And @random1, I strongly urge you to check out recaptcha.net so you can add a CAPTCHA to your site. I was able to break this generation function in 30 minutes using a simple script. The script generates 100,000 passwords, stores them in a list, then generates another 100,000 and compares the two. If there is even a single match in the lists, the script aborts and lets you know there is a match. If I had pre-generated a list of millions of passwords, this could have been done quicker.

 

Also, if you're going to encrypt your information before you store it, pick and use a strong salt (ie. a phrase used alongside the encryption to make it even more secure) so if people get your encrypted text, it'll be tricky to work out the password AND the salt..

 

Sorry if I'm pulling this into a security discussion, but it's important to know all you can before going ahead with something that involves sensitive information