xyph Posted August 21, 2012 Share Posted August 21, 2012 @ChristianF Its not possible for two people to load the page at the exact same time the request are handled in an order. Multi-threaded software. Multi-core computers. It's very possible to do multiple things at the exact same time with modern computing. My understanding is that even with multithreading things are not truly happening at the same time. Only the processor is multithreaded and things like disk reading/writting and ram access are not. You're thinking extremely low-level. At a higher level, you can be both reading a file into memory, and writing from memory 'at the same time' in the sense that both actions start before either completes. Even at the low level, the limitation would only be hardware and OS operation. If you've only got 1 pipe, or the OS only knows how to use 1 pipe, you're restricted to that. So, in this same sense, unless you've specifically placed a lock on a shared resource, it's very possible for any given request to begin being processed while the server is in the middle of processing another. If this weren't true, race conditions wouldn't exist. Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 21, 2012 Share Posted August 21, 2012 Not to mention, many things can happen one after another in one second, and time() only goes to the second. Quote Link to comment Share on other sites More sharing options...
stijn0713 Posted August 24, 2012 Author Share Posted August 24, 2012 $uniquePW = rand() . time(); There's not enough entropy in this solution. The passwords are far too 'guessable' Here's a decent solution. Requires the mcrypt library. <?php $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; $password_length = rand(10,15); $size = strlen($characters); $rand = mcrypt_create_iv($password_length,MCRYPT_DEV_URANDOM); $password = ''; foreach( str_split($rand) as $char ) $password .= $characters[floor(ord($char)*($size/256))]; echo $password; ?> Keep in mind, there's slight 'bias' with the floor command. It's still incredibly more difficult to predict than any of the above examples. It's also quite 'wasteful' with the random stream, but that's not a huge deal on smaller traffic sites. Unless you have absolutely no choice, you should never use time to generate anything sensitive. Hello xyth, before posting the question i haven't been busy with security issues, so after getting your sample code i have taken a first (probably very surficial) look at encryption and hashing. If i understand your code well, this is some kind of pseudo random number (/string) generator. So the pasword generated should still be hashed? and this 'seed', or initialization vector, shoudn't it be also secret ? furthermore, i was wondering where this randomness came from (if i'm testing this in my wamp on pc computer) can i check the 'pool of entropy' and so to say, put a number of the probability of generating equal paswords?? Quote Link to comment Share on other sites More sharing options...
Christian F. Posted August 24, 2012 Share Posted August 24, 2012 That code does indeed produce a random string, which in this case is used as a password. Yes. The actual PRNG is, in this case, "urandom". (/dev/urandom on Linux, and whatever is the applicable for Windows). That's also where the source of entropy comes from, so a google search should provide you with the data you need on that. I'm also going to assume that the "seed/initialization vector" you refer to is $rand. After the password has been generated the contents of this variable has exceeded their usefulness, as they've been translated into an actual password by the loop. It is thus quite safe, and in fact recommended, to just ignore it and let it be deleted at the end of execution. Quote Link to comment Share on other sites More sharing options...
Adam Posted August 24, 2012 Share Posted August 24, 2012 did you know the most common password is "password" ? The 8th is "pussy". Quote Link to comment Share on other sites More sharing options...
xyph Posted August 24, 2012 Share Posted August 24, 2012 It's not pseudorandom. It uses a cryptographically secure source. I've used mcrypt_create_iv to interface with /dev/urandom, because apparently it also works on newer versions of Windows (I'm not 100% sure of this) That process simply creates a password of random (10-15) length, based on the character set provided. It does nothing to verify if it's a unique password. For storage, it would have to be salted/hashed in a secure, slow manner. Why you'd need a truly unique password, I don't know. Quote Link to comment Share on other sites More sharing options...
xyph Posted August 24, 2012 Share Posted August 24, 2012 The actual PRNG is, in this case, "urandom". /dev/urandom isn't considered pseudo-random. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted August 24, 2012 Share Posted August 24, 2012 Yeah, should have placed a pair of parentheses around the P there. I can only blame force of habit. Sorry about not being clear about the non-pseudo state of "/dev/urandom". Quote Link to comment Share on other sites More sharing options...
xyph Posted August 24, 2012 Share Posted August 24, 2012 No need to apologize, just good to make sure the right information is posted. We're all very fast typers, and our heads can't always keep up Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.