Jump to content

Recommended Posts

You don't want to be using unique password, but a unique combination of user identifier and password. The former can be a randomly generated ID (GUID), or a username. Just make sure that part is unique for simplicity's sake, though it is really only the combination that needs to be unique.

if you're using a user database, what's the purpose of your implementation?  let the user sign up with their own email/password combo, send them an email verification with some random string being the activation code, access to that link activates their account.  now that you have a successfully auth'd user, keep track of what survey's they're allowed to partake in and which ones they already have.

what i'm making is a little system for the administrator where he can creates surveys and invites people that he has in his database to take part in the survey.

 

This invitation is a mail with a link. I cannot allow the invited person to logg in with the email and pasword from the users database because that will allow him to also take part in other surveys.

 

I therefore want to generate a unique pasword code for each invitation in the script where the administrator sends the invitation (email)

Why not add the users that have been invited to a table indicating they've been invited? Then check the table for the survey and user id to verify permission. Sure would be a lot less hassle than creating additional passwords, and would allow you to see who has been invited to what, and track their participation as a side benefit. You could also use it to remind people if they have outstanding invites when they log in. The benefits are almost limitless. Well OK, not limitless, but there are benefits . .

Use a timestamp or something that uses the timestamp like a hash of the time stamp.

 

I personally would think its better to store who should have access to the survey send an email with just a link. On the page itself check if the user was one of the invited users.

$uniquePW = rand() . time();

 

There's not enough entropy in this solution. The passwords are far too 'guessable'

 

Here's a decent solution. Requires the mcrypt library.

<?php

$characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$password_length = rand(10,15);

$size = strlen($characters);
$rand = mcrypt_create_iv($password_length,MCRYPT_DEV_URANDOM);
$password = '';
foreach( str_split($rand) as $char )
$password .= $characters[floor(ord($char)*($size/256))];

echo $password;

?>

 

Keep in mind, there's slight 'bias' with the floor command. It's still incredibly more difficult to predict than any of the above examples. It's also quite 'wasteful' with the random stream, but that's not a huge deal on smaller traffic sites.

 

Unless you have absolutely no choice, you should never use time to generate anything sensitive.

@ChristianF Its not possible for two people to load the page at the exact same time :P the request are handled in an order.

 

Multi-threaded software. Multi-core computers. It's very possible to do multiple things at the exact same time with modern computing.

I had grabbed this off the web some time ago and used in in several situations like this.  Might work for you.

<?php
//Generate a random
$min=6; // minimum length of keycode
$max=8; // maximum length of keycode
$kcode=""; // to store generated keycode
for($i=0;$i<rand($min,$max);$i++){
$num=rand(48,122);
if(($num > 97 && $num < 122)){
	$kcode.=chr($num);
}
else if(($num > 65 && $num < 90)){
	$kcode.=chr($num);
}
else if(($num >48 && $num < 57)){
	$kcode.=chr($num);
}
else if($num==95){
	$kcode.=chr($num);
}
else{
	$i--;
}
}
echo "$kcode";
?>

I had grabbed this off the web some time ago and used in in several situations like this.  Might work for you.

<?php
//Generate a random
$min=6; // minimum length of keycode
$max=8; // maximum length of keycode
$kcode=""; // to store generated keycode
for($i=0;$i<rand($min,$max);$i++){
$num=rand(48,122);
if(($num > 97 && $num < 122)){
	$kcode.=chr($num);
}
else if(($num > 65 && $num < 90)){
	$kcode.=chr($num);
}
else if(($num >48 && $num < 57)){
	$kcode.=chr($num);
}
else if($num==95){
	$kcode.=chr($num);
}
else{
	$i--;
}
}
echo "$kcode";
?>

 

rand is pseudo-random. It uses time to seed it's results. Only use this solution if a cryptographically-secure random stream isn't available.

 

It's also some UGLY code. Better off giving a list of valid characters, making a random number between 0,(number of characters - 1), and picking with that.

@ChristianF Its not possible for two people to load the page at the exact same time :P the request are handled in an order.

 

Multi-threaded software. Multi-core computers. It's very possible to do multiple things at the exact same time with modern computing.

 

My understanding is that even with multithreading things are not truly happening at the same time. Only the processor is multithreaded and things like disk reading/writting and ram access are not.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.