peppericious Posted May 15, 2011 Share Posted May 15, 2011 Maybe it's a Regex question, but I'm wondering how one would go about generating alphanumeric passwords that do not contain either the letters 'oh' or 'el', or the numbers 1 (one) or 0 (zero)? In other words, the p/w can contain any letters of the alphabet - apart from 'oh' and 'el' - and any digits from 2 to 9 inclusive. The p/w length is not critical - let's say 8 characters. Thanks in advance for your help. Quote Link to comment Share on other sites More sharing options...
fugix Posted May 15, 2011 Share Posted May 15, 2011 Sounds like simple field validation to me. Using if else statements to filter the user input with whatever stipulations that you would like. Quote Link to comment Share on other sites More sharing options...
Zane Posted May 15, 2011 Share Posted May 15, 2011 if(preg_match("~(oh|el|[0-9]*)~"), $password) /// password is bad Quote Link to comment Share on other sites More sharing options...
.josh Posted May 15, 2011 Share Posted May 15, 2011 guys, he's asking about generating passwords, not validating them. OP: I'm confused, you refer to "oh" and "el" as letters... so when you say you do not want it to contain "oh" or "el" do you mean 1) 2 literal 2-character strings? Like.. ohxxxxxx <-bad oxxxxxxx <-good hxxxxxxx <-good oxhxxxxx <-good elxxxxxx <-bad exlxxxxx <-good exxxxxxx <-good lxxxxxxx <-good 1) Or, were you just "pronouncing" them, and you really meant "o" and "l", like... xxxxxxxx <- good oxxxxxxx <- bad hxxxxxxx <- good exxxxxxx <- good lxxxxxxx <- bad if the answer is #2 (which I'm guessing that's what you meant...) $password_length = 8; $pool = array_merge(range('a','k'),range('m','n'),range('p','z'),range(2,9)); shuffle ($pool); $password = implode('', array_slice($pool,0,$password_length)); Quote Link to comment Share on other sites More sharing options...
peppericious Posted May 16, 2011 Author Share Posted May 16, 2011 Yes Crayon Violent, I'm talking about creating - not validating - those p/ws. And, yes, no. 2 that you described is what I'm talking about. I want users who have registered to be issued with temporary passwords that do not contain any of those 4 characters which are frequently the cause of confusion - people entering 0 (zero) rather than the letter 'o' (oh) and vice versa in the p/w field and then being told that their p/ws are incorrect. I want to eliminate those 4 characters completely from all automatically generated p/ws. So, thanks for your help: that's what I'm after. I'll go ahead and give your code a try. Quote Link to comment Share on other sites More sharing options...
JAY6390 Posted May 21, 2011 Share Posted May 21, 2011 Pretty simple tbh, use this random string function and pass in all the letters and numbers of the alphabet except for LOlo10 and also the min/max values you want, and hey presto, you have your password Quote Link to comment Share on other sites More sharing options...
otuatail Posted May 21, 2011 Share Posted May 21, 2011 why not use $temp = time(); // 10 didgit number so no confusion. would be unique also. Also $temp = dechex($temp); // also no problem creates 8 chars Quote Link to comment Share on other sites More sharing options...
JAY6390 Posted May 21, 2011 Share Posted May 21, 2011 Using just numbers (especially the time) makes it very easy to brute crack (since you just need to enter a date range and let a foreach work it's magic). It also doesn't actually satisfy the part the OP asked about NOT having 1 or 0 in the password. I know they wont have the confusion issue with 1 l and L but it's still a bad idea to have just numbers, especially based on time, or a hex/hash of that time. Its also worth noting that unless this is being done manually for each password, if a script does 20 accounts at once, they would all have the same password as time() doesn't change during the running of the script like microtime does Quote Link to comment Share on other sites More sharing options...
otuatail Posted May 21, 2011 Share Posted May 21, 2011 Ok if this is a large company with lots of people joining up in thousands then it would be a problem. No random generator is quaranteed to be unique. so a mix of both would work. How about a random number between 1000 and 9999 with the dechex add on. The hacker is working blind and if the page is securly writen not to break and reveal secure information it could work. Nothing is totaly secure but good coding practice will help in this area. Quote Link to comment Share on other sites More sharing options...
otuatail Posted May 21, 2011 Share Posted May 21, 2011 I have a system where the password is md5() into the database. None of this we will email your password and a nightmare for the hacker. You would require some personal information. Even Microsoft groups do this. However this is also encrypted. I also binned the user name and password as being out dated. Why should it be a word? I can have sentences with accented letters and any key on the keyboard. “My dogs got bad breath”, would be ok. Everyone who uses it says it allows them to be more creative and less likely to forget. All there is a subscription form where the user can choose his/her User key as I call it. This is encrypted and sent to the database. It's worth a look at. Quote Link to comment Share on other sites More sharing options...
grahamb314 Posted May 21, 2011 Share Posted May 21, 2011 How about something simple like: function generate_password() { $length =8; $chars = "abcdfghjkmnpqrstuvwxyzABCDEFGHIJKMNPQRSTUVWXYZ23456789"; $size = strlen($chars); for($i = 0; $i < $length; $i++) { $str .= $chars[rand(0, $size -1)]; } return $str; } Quote Link to comment Share on other sites More sharing options...
otuatail Posted May 21, 2011 Share Posted May 21, 2011 would rand be truly random and would it be impossible for a duplicate ? Quote Link to comment Share on other sites More sharing options...
grahamb314 Posted May 21, 2011 Share Posted May 21, 2011 Nope. Why does a password have to be unique? - I'm sure that there is someone else out there who has a password the same as mine for some things. If you really wanted to, you can check against existing passwords in your DB. If you get more than one result, generate another. Quote Link to comment Share on other sites More sharing options...
Fadion Posted May 22, 2011 Share Posted May 22, 2011 would rand be truly random and would it be impossible for a duplicate ? mt_rand() will generally be a better idea, but in either case, it doesn't matter much. Random passwords, as the OP stated, are temporary solutions that are going to be changed in most cases. If he wants to increase security, in grahamb314's code he can increase the length, add some non-alphanumeric characters to the $chars list, hash it and finally drop in a salt. Collision in this case is not even an issue. Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 22, 2011 Share Posted May 22, 2011 I totally agree with GuiltyGear, look up "salt generation" or "password salt" which will allow you to attach a random generated string (with sha1() or md5()) and append those random chars to the existing users password. Then encrypt the whole package. This will make each password in your DB completely unique and virtually impossible to crack... BUT all the other aspects of your system are still open to attack - lets say for instance someone gets a hold of your entire DB, they really don't need to know these passwords anyway, or they could then change them from INSIDE the system, comlpetely bypassing your login checks. Original pass : MyDogBob (common type with users) Salt : 6aeff31faee28599998ef91a9c42b1ceb2e8f5ea // this string should be totally random mod Pass = MyDogBob6aeff31 new pass = sha1('MyDogBob6aeff31') something like this secures your users passwords to a very acceptable level, even for more sensitive systems. Just some things to think about. Back to the original question, i don't know why you would need to exclude certain characters from password generation.. but the non-exclusion type that i use is this: function keyGen($limit=8, $opt=false){ $i=0; $pc = array('abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', '1234567890','~!@#%^*_+'); while($i<$limit){ $arrkey = array_rand($pc, 1); // RETURNS THE ARRAY KEY (selects either a char or int list to use, randomly) $str = $pc[$arrkey]; $key .= $str[rand(0, strlen($str))]; // selects a random char from the array $i = strlen($key); // protects from the rand char generation bug. Without it, you will experience the NULL result loop bug } $string = sha1($key); // if the function call requested both the encrypted pass and the standard string, create an array if($opt){ $result[0] = $key; $result[1] = $string; return $result; } else{ return $string; } // if the function call doesn't need the encrypted string - send the un-encrypted string only. (THE PASSWORD) } remove the characters you don't want from the list - this checks the string and will always print the designated number of chars (say 8 in this example). the reason i use this method is because the string generated is more random with uppercase, lower, numerics, and spec chars due to the random array index selected. maybe you can use that Quote Link to comment Share on other sites More sharing options...
Rifts Posted May 22, 2011 Share Posted May 22, 2011 How about something simple like: function generate_password() { $length =8; $chars = "abcdfghjkmnpqrstuvwxyzABCDEFGHIJKMNPQRSTUVWXYZ23456789"; $size = strlen($chars); for($i = 0; $i < $length; $i++) { $str .= $chars[rand(0, $size -1)]; } return $str; } use this its win Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.