generating unique password without going to db?

[stijn0713]

probably stupid question, is it possible to generate unique pasword without checking db first?

[Pikachu2000]

You shouldn't check the db first. You should check it second.

[Mahngiel]

what is a "unique password" did you know the most common password is "password" ?

[stijn0713]

before sending a mail to the user, i want to generate a password which he'll use to validate him for the survey. Ok, i'll randomly generate one, and query against the db if it doesn't exist yet

[Mahngiel]

you can create a random string by simply hashing the user's session ID

[Christian F.]

You don't want to be using unique password, but a unique combination of user identifier and password. The former can be a randomly generated ID (GUID), or a username. Just make sure that part is unique for simplicity's sake, though it is really only the combination that needs to be unique.

[stijn0713]

mm, smart idea to use the ID to make the password unique. However, no session started yet, if he isn't logged in to take the survey, so idea 1 and query db?

[Mahngiel]

logged in users aren't the only people who get sessions, ya know?

[stijn0713]

@christianF ... no the password also needs to be unique, because users with unique ID can take different surveys and a particular user may not use his password for taking another survey.

[Mahngiel]

if you're using a user database, what's the purpose of your implementation?  let the user sign up with their own email/password combo, send them an email verification with some random string being the activation code, access to that link activates their account.  now that you have a successfully auth'd user, keep track of what survey's they're allowed to partake in and which ones they already have.

[stijn0713]

what i'm making is a little system for the administrator where he can creates surveys and invites people that he has in his database to take part in the survey.

 

This invitation is a mail with a link. I cannot allow the invited person to logg in with the email and pasword from the users database because that will allow him to also take part in other surveys.

 

I therefore want to generate a unique pasword code for each invitation in the script where the administrator sends the invitation (email)

[stijn0713]

.

[Pikachu2000]

Why not add the users that have been invited to a table indicating they've been invited? Then check the table for the survey and user id to verify permission. Sure would be a lot less hassle than creating additional passwords, and would allow you to see who has been invited to what, and track their participation as a side benefit. You could also use it to remind people if they have outstanding invites when they log in. The benefits are almost limitless. Well OK, not limitless, but there are benefits . .

[Drongo_III]

$uniquePW = rand() . time();

[teng84]

date and time is always unique

[spiderwell]

i was going to suggest the same as the two entries above.  date and time will never be the same until time travel is invented

[Christian F.]

Sure about that? What happens if two people load the page at exactly the same time?

The more users you have, the higher the likelihood (and frequency) of it happening.

[Mahngiel]

No offense to any of you, but the entire thread should really be read before posting.  The "solutions" given the past few posts to answer the OP do not actually provide an adequate solution to the OP's need. 

[yamikowebs]

Use a timestamp or something that uses the timestamp like a hash of the time stamp.

 

I personally would think its better to store who should have access to the survey send an email with just a link. On the page itself check if the user was one of the invited users.

[xyph]

$uniquePW = rand() . time();

 

There's not enough entropy in this solution. The passwords are far too 'guessable'

 

Here's a decent solution. Requires the mcrypt library.

<?php

$characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$password_length = rand(10,15);

$size = strlen($characters);
$rand = mcrypt_create_iv($password_length,MCRYPT_DEV_URANDOM);
$password = '';
foreach( str_split($rand) as $char )
$password .= $characters[floor(ord($char)*($size/256))];

echo $password;

?>

 

Keep in mind, there's slight 'bias' with the floor command. It's still incredibly more difficult to predict than any of the above examples. It's also quite 'wasteful' with the random stream, but that's not a huge deal on smaller traffic sites.

 

Unless you have absolutely no choice, you should never use time to generate anything sensitive.

[yamikowebs]

@ChristianF Its not possible for two people to load the page at the exact same time the request are handled in an order.

[xyph]

@ChristianF Its not possible for two people to load the page at the exact same time the request are handled in an order.

 

Multi-threaded software. Multi-core computers. It's very possible to do multiple things at the exact same time with modern computing.

[Drummin]

I had grabbed this off the web some time ago and used in in several situations like this.  Might work for you.

<?php
//Generate a random
$min=6; // minimum length of keycode
$max=8; // maximum length of keycode
$kcode=""; // to store generated keycode
for($i=0;$i<rand($min,$max);$i++){
$num=rand(48,122);
if(($num > 97 && $num < 122)){
	$kcode.=chr($num);
}
else if(($num > 65 && $num < 90)){
	$kcode.=chr($num);
}
else if(($num >48 && $num < 57)){
	$kcode.=chr($num);
}
else if($num==95){
	$kcode.=chr($num);
}
else{
	$i--;
}
}
echo "$kcode";
?>

[xyph]

I had grabbed this off the web some time ago and used in in several situations like this.  Might work for you.

<?php
//Generate a random
$min=6; // minimum length of keycode
$max=8; // maximum length of keycode
$kcode=""; // to store generated keycode
for($i=0;$i<rand($min,$max);$i++){
$num=rand(48,122);
if(($num > 97 && $num < 122)){
	$kcode.=chr($num);
}
else if(($num > 65 && $num < 90)){
	$kcode.=chr($num);
}
else if(($num >48 && $num < 57)){
	$kcode.=chr($num);
}
else if($num==95){
	$kcode.=chr($num);
}
else{
	$i--;
}
}
echo "$kcode";
?>

 

rand is pseudo-random. It uses time to seed it's results. Only use this solution if a cryptographically-secure random stream isn't available.

 

It's also some UGLY code. Better off giving a list of valid characters, making a random number between 0,(number of characters - 1), and picking with that.

[yamikowebs]

@ChristianF Its not possible for two people to load the page at the exact same time the request are handled in an order.

 

Multi-threaded software. Multi-core computers. It's very possible to do multiple things at the exact same time with modern computing.

 

My understanding is that even with multithreading things are not truly happening at the same time. Only the processor is multithreaded and things like disk reading/writting and ram access are not.