Jump to content

generating unique password without going to db?


stijn0713

Recommended Posts

@ChristianF Its not possible for two people to load the page at the exact same time :P the request are handled in an order.

 

Multi-threaded software. Multi-core computers. It's very possible to do multiple things at the exact same time with modern computing.

 

My understanding is that even with multithreading things are not truly happening at the same time. Only the processor is multithreaded and things like disk reading/writting and ram access are not.

 

You're thinking extremely low-level. At a higher level, you can be both reading a file into memory, and writing from memory 'at the same time' in the sense that both actions start before either completes. Even at the low level, the limitation would only be hardware and OS operation. If you've only got 1 pipe, or the OS only knows how to use 1 pipe, you're restricted to that.

 

So, in this same sense, unless you've specifically placed a lock on a shared resource, it's very possible for any given request to begin being processed while the server is in the middle of processing another. If this weren't true, race conditions wouldn't exist.

Link to comment
Share on other sites

$uniquePW = rand() . time();

 

There's not enough entropy in this solution. The passwords are far too 'guessable'

 

Here's a decent solution. Requires the mcrypt library.

<?php

$characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$password_length = rand(10,15);

$size = strlen($characters);
$rand = mcrypt_create_iv($password_length,MCRYPT_DEV_URANDOM);
$password = '';
foreach( str_split($rand) as $char )
$password .= $characters[floor(ord($char)*($size/256))];

echo $password;

?>

 

Keep in mind, there's slight 'bias' with the floor command. It's still incredibly more difficult to predict than any of the above examples. It's also quite 'wasteful' with the random stream, but that's not a huge deal on smaller traffic sites.

 

Unless you have absolutely no choice, you should never use time to generate anything sensitive.

 

Hello xyth,

 

before posting the question i haven't been busy with security issues, so after getting your sample code i have taken a first (probably very surficial) look at encryption and hashing.

 

If i understand your code well, this is some kind of pseudo random number (/string) generator. So the pasword generated should still be hashed? and this 'seed', or initialization vector, shoudn't it be also secret ?

 

furthermore, i was wondering where this randomness came from (if i'm testing this in my wamp on pc computer) can i check the 'pool of entropy' and so to say, put a number of the probability of generating equal paswords??

 

Link to comment
Share on other sites

That code does indeed produce a random string, which in this case is used as a password. Yes. The actual PRNG is, in this case, "urandom". (/dev/urandom on Linux, and whatever is the applicable for Windows). That's also where the source of entropy comes from, so a google search should provide you with the data you need on that.

 

I'm also going to assume that the "seed/initialization vector" you refer to is $rand. After the password has been generated the contents of this variable has exceeded their usefulness, as they've been translated into an actual password by the loop. It is thus quite safe, and in fact recommended, to just ignore it and let it be deleted at the end of execution.

Link to comment
Share on other sites

It's not pseudorandom. It uses a cryptographically secure source. I've used mcrypt_create_iv to interface with /dev/urandom, because apparently it also works on newer versions of Windows (I'm not 100% sure of this)

 

That process simply creates a password of random (10-15) length, based on the character set provided.

 

It does nothing to verify if it's a unique password.

 

For storage, it would have to be salted/hashed in a secure, slow manner.

 

Why you'd need a truly unique password, I don't know.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.