Posted: Mon May 01, 2006 7:13 am
All depends on the defintions of 'random' and 'password'.. I usually take a substring of md5(time())
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Which is pretty much what I'm doing with my function.timvw wrote:All depends on the defintions of 'random' and 'password'.. I usually take a substring of md5(time())
Code: Select all
passGen = function(domTo) {
var sPass = '';
var aChars = [
['a','e','i','o'],
['r','t','p','s','d','f','g','h','k','l','c','b','n','m']
];
var nCharTypes = aChars.length;
var aLengths = [aChars[0].length,aChars[1].length];
var i = 8;
while(i) {
var nMod = i % nCharTypes;
var nRand = Math.floor(Math.random() * aLengths[nMod]);
sPass += aChars[nMod][nRand];
i--;
}
var aSymbol = ['!','$','%','^','&','*','@','#'];
sPass += aSymbol[Math.floor(Math.random() * aSymbol.length)];
sPass += Math.floor(Math.random() * 99);
domTo.value = sPass;
return false;
}Code: Select all
esimocic!51
iracokof@13
erohared*41
ecafenat$14
erokoteg!54
eporibas&36
apetelir!24Code: Select all
passGen(document.getElementById('sometextfield'));That depends on a few things.someberry wrote:Generating passwords with a fixed pattern is plain silly. The point is to make it as random as possible to avoid duplication, guessing and cracking.
On that much we totally agree. I was offering alternatives for strong passwords that are more memorable.agtlewis wrote:well forgive me if I am wrong, but I would think that almost any randomly generated password would be more secure than the average passwords created by real people.
My point remains that fixed patterns by themselves do not make for an insecure choice.someberry wrote:But what I was really replying to was the fact that ole made the function using Javascript for everyone and anyone to see, and made it so it had a fixed pattern - consonant, consonant, vowel, etc etc. I find that a little insecure for my liking.
Thats pretty clever...ole wrote:when i randomly generate passwords i try to make them as pronounceable as possible because then you can actually remember them but they still aren't real words.
This is javascript but i'm sure you're all smart enough to port it to phpIt choose a random consonant then a vowel then a consonent and so on these are the kind of results you can expect:Code: Select all
passGen = function(domTo) { var sPass = ''; var aChars = [ ['a','e','i','o'], ['r','t','p','s','d','f','g','h','k','l','c','b','n','m'] ]; var nCharTypes = aChars.length; var aLengths = [aChars[0].length,aChars[1].length]; var i = 8; while(i) { var nMod = i % nCharTypes; var nRand = Math.floor(Math.random() * aLengths[nMod]); sPass += aChars[nMod][nRand]; i--; } var aSymbol = ['!','$','%','^','&','*','@','#']; sPass += aSymbol[Math.floor(Math.random() * aSymbol.length)]; sPass += Math.floor(Math.random() * 99); domTo.value = sPass; return false; }If you want to use the javascript you'll need to call it like this:Code: Select all
esimocic!51 iracokof@13 erohared*41 ecafenat$14 erokoteg!54 eporibas&36 apetelir!24Code: Select all
passGen(document.getElementById('sometextfield'));
YepHis pattern in possible combinations: 5*21*5*21*5*21*5*21*8*9*9 .
Just because you know the pattern and position of each, doesnt change the fact that you must get all of them correct in a single pass - so the odds do not change. If we were playing a game that told us when we had one position or character right, perhaps. However, in passwords, thats not the case. So, his combinations above = 78,764,805,000. Even at one hundred attempts a second, with no lock out, no delays, it would take 9,116 days.
I think calling that insecure is a little sloppy for my liking.
Thanks. There are probably superior methods out there but that is a simple concept that anyone can write.Thats pretty clever...
Actually if you look as his code, his patter combinations are:Roja wrote:His pattern in possible combinations: 5*21*5*21*5*21*5*21*8*9*9 .
Just because you know the pattern and position of each, doesnt change the fact that you must get all of them correct in a single pass - so the odds do not change. If we were playing a game that told us when we had one position or character right, perhaps. However, in passwords, thats not the case. So, his combinations above = 78,764,805,000. Even at one hundred attempts a second, with no lock out, no delays, it would take 9,116 days.
I think calling that insecure is a little sloppy for my liking.
Code: Select all
4 * 14 * 4 * 14 * 4 * 14 * 4 * 14 * 8 * 10 * 10 = 7,867,596,800Code: Select all
72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 = 269,561,249,468,963,100,000Code: Select all
<?PHP
$Roja = 5 * 21 * 5 * 21 * 5 * 21 *5 *21 * 8 * 9 * 9;
$ole = 4 * 14 * 4 * 14 * 4 * 14 * 4 * 14 * 8 * 10 * 10;
$prefered = 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72;
echo('<p>Roja\'s total combination: ' . number_format($Roja) . '<br />');
echo('ole\'s real total combination: ' .number_format($ole) . ' (' . number_format(($ole/$Roja)*100) . '% of real combinations).</p>');
echo('<p>More secure combinations: ' . number_format($prefered) . ' (' . number_format(($ole/$prefered)*100) . '% of secure combinations).</p>');
?>Code: Select all
Roja's total combination: 78,764,805,000
ole's real total combination: 7,867,596,800 (10% of secure combinations).
More secure combinations: 269,561,249,468,963,100,000 (0% of real combinations).Security is not an absolute value. His code is not insecure. It is highly secure for the average site, for the average user, for a default password. Further, his other controls (8 attempts lockout) make anything over a few characters highly secure.someberry wrote: Now, I made this little script to test the total combinations, providing there aren't any errors in the code, it shows how insecure ole's code is.
And if one has Javascript disabled?Roja wrote:Security is not an absolute value. His code is not insecure. It is highly secure for the average site, for the average user, for a default password. Further, his other controls (8 attempts lockout) make anything over a few characters highly secure.
Considering the vast majority of users will change that password as soon as they login, I don't really see the need to create a 'memorable' password for users on the fly, which chances are, is not going to be that memorable.Roja wrote:You are trying to nitpick, and complain about his solution, when the reality is that his solution is more than reasonably secure. Better, its reasonably secure AND it gives users a more memorable password.
Depends for the site is was designed for to be absolutely honest. A bank wouldn't touch it with a 10ft barge poll, but would be acceptable for a very small website. If it is a very small website though, then the server isn't going to be loaded down, so I don't see it as a problem to add another layer of security.Roja wrote:Ole's code is not insecure. Can it be more secure? Sure. But it would be overkill in the extreme. I'd even argue that it already is.
The passwords generated by that script are A LOT more secure that the average memorable password a user provides.I don't really see the need to create a 'memorable' password for users on the fly, which chances are, is not going to be that memorable.
Let me put this into context for you.I have no problem with the fact that his passwords are very difficult to crack, but that he has used Javascript to implement it with a fixed pattern. What would happen if I turned Javascript off - would I have no password at all?! If it was implemented using some server side language then I don't see it being too much of a problem.