Hello, I am doing a random password generator with symbols only ( like $%[-* ). on the ascii table there are 4 groups of symbols: 33 to 47 , 58 to 64, 91 to 96 and 123 to 126. normally rand function would be something like this : rand(33,47) but in my case i have 4 groups, how do I add those 4 groups into rand ( ) ?
Thanks
First off: Why do you want to implement a password generator with PHP? I can hardly think of a scenario where this would make sense. If you’re trying to generate passwords for your users, that’s definitely a bad idea.
Secondly, the [tt]rand()[/tt] function is completely unsuitable for anything serious, because the underlying random number generator yields predictable results and is generally very poor (see the warnings in the manual). If at all, you’d use a cryptographically secure random number generator (CSPRNG). If you already have PHP 7, you can simply use the built-in CSPRNG extension. Otherwise you’ll have to install the random_compat library which provides the same functions for older PHP versions.
But again: What are you trying to do?
Well, in my humble opinion, it is often needed to create a temporary password for a newly registered user.
This makes it much easier for the user to enter quickly. They are given the temporary password which allows
them to get onto the site quickly. Then, they are forced to change the password. This also allows for the
site to invite others. For instance, one of my sites allows users to invite other users. They are validated by
the ADMIN’s before they are allowed to do anything on the site. But, as I said, there are useful reasons to
create a password. This is one way that a site does it. I think this code came from Stackoverflow and it can
be altered to fit your needs. But, in your code, you need to create the sections separately and then
combine the results.
[php]
// First create new temporary password for the new user. Start with a blank password
$newpassword = “”;
// Define possible characters - any character in this string can be picked for use in the password, so if you want to put vowels back in
// or add special characters such as exclamation marks, this is where you should do it. Note no vowels, so no bad words by accident
$possible = "2346789bcdfghjkmnpqrtvwxyzBCDFGHJKLMNPQRTVWXYZ";
$maxlength = strlen($possible);
// Set up a counter for how many characters are in the password so far
$i = 0;
while ($i < 8) {
$char = substr($possible, mt_rand(0, $maxlength-1), 1);
// Now check for used characters, just do not repeat...
if (!strstr($password, $char)) {
$newpassword .= $char;
$i++;
}
}
[/php]
This code then encrypts the password, marks it as temporary so the user is forced to change it and stores
it all into the database. Now, in your code, if you want different groups for the randomize sections, you
will need to do it in sections. Create the four groups and just concatenate them together. Loosely like
this: $part1=rand(33,47); $part2=rand(58,64); etc then, $pass=$part1.$part2; etc…
This is wrong on so many levels and again demonstrates why it’s a terrible idea to just copy-and-paste code you found somewhere on the Internet. Especially when it’s PHP code.
[ul][li]You do not need “temporary passwords”, because you can simply use tokens. Instead of making the user manually enter some password (which is always problematic), you just pass a long random string via the URL. This provides maximum security combined with maximum usability, which is why it’s the standard solution used by virtually every professional web application.[/li]
[li]As I already said multiple times, generating a password, a token or any critical random number requires a CSPRNG. rand() or mt_rand() do not produce secure random numbers! Even the PHP manual says that in a big yellow box. If you don’t believe me, then at least believe the people who actually wrote the function.[/li]
[li]The chosen alphabet and length in the code shows that the original author has no clue what he’s doing. Vowels are excluded the prevent “bad words”? What the hell? Excluding duplicate letters further reduces the number of possible passwords. Due to the birthday paradoxon, it only takes ~4,000,000 attempts to guess the right password with a probability of 1/2.[/li][/ul]
So, for the love of god, don’t use this. Not even for a toy application. Generate a random token with a CSPRNG and then encode it in any way you like. A simple example using 128 bits with hex-encoding:
[php]<?php
/*
$rawToken = random_bytes(16);
$encodedToken = bin2hex($rawToken);
var_dump($encodedToken);[/php]
If you want the token to be shorter and look more like a password, you can simply use a different encoding like Base64:
[php]<?php
/*
$rawToken = random_bytes(16);
$encodedToken = base64_encode($rawToken);
// remove the Base64 padding; you may also adjust the alphabet by replacing the standard Base64 digits
$encodedToken = trim($encodedToken, ‘=’);
var_dump($encodedToken);[/php]
Well, I’m not going to argue over what you think is right or wrong, but, there are many loop holes to your
ideas and code. The reason you might want a temporary password created is vast not wrong on many
levels. Quite often, you need to create a new temporary password and email it to a user. other times you
might want to allow someone to add a new user to your site. You would never want to pass that thru a
URL. That is just not a safe practice. Since we are only talking about a temporary password, it is kept for
only a short time on the site and then dumped, therefore, no big security issues there. If you create a, let’s
say 8 char password, you would not want to pass that thru a URL and it is only good for 24 hours, so why
worry about it. We do not care if a user uses bad words for their password. Crazy even thinking about that!
Nobody ever sees their password, so let them go at it. And, why would you want to waste the processing
time to create your 128 bit hex-encoded TEMP password, just to dump it the next day? Waste of time…
Lastly, that is NOT what this post is about and it is just off topic!
Like?
PH was proposing another (much better) solution with using a token instead of a “password”.
The time is irrelevant. If you don’t care about the strength of the passwords why set a password at all?
It was your code that excluded characters from the character set to avoid “bad passwords”…
Security is never a waste of time.
I think it was very on topic, it solved the problem the OP had in a better way than he originally asked for - but still on topic.
Okay JimL, another list of off-topic disagreements. This is not helpful for the “learning” of the poster!
Then stop disagreeing with someone who’s clearly right. Putting the record straight and giving the best practices to the poster is definitely in the best interest of the poster.