Random password generator?

**techlighthouse** · 07-14-2004, 03:59 PM

Does anyone know of a randomized password generator written in PHP?

I'm working on a new site for a homeowners association and need to secure portions of the site: We want to make the residents' directory, association budget, and other features available to residents and property owners only. We don't want "outsiders" getting names, addresses, phone numbers, etc and using them for marketing or other nefarious purposes. Let them get that information the old fashioned way!

My thought has been to have the user fill out a form with name, address, phone no, etc. and then check this information against the list of residents in the database. If everything matches up, a password would be e-mailed to the e-mail address of record for the residence and the account created. If the info doesn't match for some reason, the user will be denied access to the database.

I thought I'd write a password generator based on random numbers linked to ASCII codes but don't see a way to generate random numbers -- or random character sequences -- in my PHP references. Has anyone seen a function that will do what I'm looking for? Or alternative suggestions, for that matter.

**Ron** · 07-14-2004, 04:42 PM

http://www.phpfreaks.com/quickcode/R...nerator/56.php

Includes the functions srand() and rand() as the basis for the code.

Code:

Code Snipplet: 

function makeRandomPassword() { 
  $salt = "abchefghjkmnpqrstuvwxyz0123456789"; 
  srand((double)microtime()*1000000); 
      $i = 0; 
      while ($i <= 7) { 
            $num = rand() % 33; 
            $tmp = substr($salt, $num, 1); 
            $pass = $pass . $tmp; 
            $i++; 
      } 
      return $pass; 
} 
$random_password = makeRandomPassword(); 
echo "Random Password is $random_password";

Alternatively, you could make an array filled with words, and randomize into that array twice and then a seperator... and generate passwords like foo%bar, home%foo, etc., etc.

Good luck.

**Ron** · 07-14-2004, 04:48 PM

Actually, thinking about it, since you're going to make them enter personal info and then validate it yourself, you could allow them to choose their own passwrd, and just send a verification email and require them to click on a link (random generator works for the special code in the link, too).

Have fun! Sounds like something I'd play around with myself.

**techlighthouse** · 07-14-2004, 05:24 PM

Thanks, Ron. Your function and code looks just about what I wanted. And it works great, at least in the trial phase. I'm sure I'll be able to screw it up somehow.

Funny, but my book doesn't include references to either rand() or srand(). I guess they must be so obscure they didn't warrant inclusion. The author has a pretty good discussion of security and logging in/out so I'd have thought that he'd include these.

I've gone back and forth about allowing the user to select their own password up front and then respond to a validation e-mail. Finally decided this would be better but will rethink the issue again. If I remain on this track I'll probably incorporate a function allowing them to change their password although it kinda defeats the concept of a randomly generated one.

**lokki** · 07-14-2004, 11:09 PM

The random password in email is a great way to do automated setup without having the login information sent via the web browser. If it's not there, they can't snoop it (secure connections aside).

Allowing the user to then change the password themselves should not pose a problem, provided they choose a decently strong password.

What I've done for my clients is to write a little standalone Flash application that converts dictionary words into randomized 'hacker script'. This allows them to build a strong password from plaintext, which makes it easier to remember.

The driver for this is my job, where we are not allowed to write down our passwords, and writing script to generate a password built from existing words is tricky at best.

What I've got is still actually a beta version, but I'd be happy to send it to you as an example. It doesn't communicate with other apps, so it might just be something nice for your homeowners to use.

**jason** · 07-15-2004, 08:43 AM

rand() isn't exactly what I'd call obscure functions since random number generation is pretty common in everything from games to encryption. (php.net can really be your friend when writting php code. I have a couple of PHP books, but most of the time these days I just use the site for everything.) There is also an mt_rand() function that is supposed to be faster than the standard rand() function.

Another function to check out is uniqid() wich will automatically generate a string of seemingly random alphanumeric characters (it is based on the system time, but would still be hard to guess).

I once wrote a password generator that combined words from a list of common English words that I found on the net somewhere. It chose two different words from an array and put them together with a random two-digit number. I don't have the exact code in front of me right now, but it looked something like this:

PHP Code:


    function mkPasswd() {

       $words = array("apple", "orange", "pear");



        //choose any word from the array

        $part1 = rand(0, count($words) -1)



        //choose any two-digit number

        $part2 = rand(10, 99);



        //choose a second word that is not the same as the first

       $part3 = rand(0, count($words) - 1);

        while($part3 == $part1) {

             //this will keep looping as long as $part3 and $part1 are the same

            $part3 = rand(0, count($words) - 1);

        }



         //now you've got three numbes, so assembe the password

        return $words[$part1] . $part2 . $words[$part3];

    }

The advantage of this approach is that it is easier for a human to remember 2 words than it is for them to remeber strings of randomness, but the combination of two words and a number gives you an almost infinite list of possibilities if your word list is long enough. Using real words, however does open you up to dictionary-based attacks, but again, the number and multiple-word combination makes that a little harder than a single word password.

--Jason

**Ron** · 07-15-2004, 10:17 AM

Didn't I suggest almost exactly that?

**jason** · 07-15-2004, 10:40 AM

Originally posted by Ron
Didn't I suggest almost exactly that?

Yes, I guess you did.

I just skimmed the replies this AM and didn't see the end of yours.

--Jason

**techlighthouse** · 07-15-2004, 04:27 PM

Lokki --

Thanks for the offer but I have to pass on it. I've never learned flash well enough to feel comfortable implementing anything, much less something my clients are depending on for site security. Others, though, might find it of interest so I hope you'll keep the offer open.

Jason & Ron --

Thanks for the additional option. I'll let y'all know what I end up doing. Hopefully this will help others.

My book (PHP and MySQL Web Development, Luke Welling & Laura Thomson, SAMS, 2001) isn't really intended as a comprehensive PHP manual. Rather it's a learning tool on writing integrated PHP/MySQL applications. I'm still surprised, though, that it doesn't seem to cover any of the random functions.

**lokki** · 07-16-2004, 12:48 AM

Just to clarify for anyone else:

The little application is a standalone executable designed to help a user create a secure password that they can enter themselves. I have no intention of connect it to anything external. There are no external files or communications that happen.

What I've done is taken a straight replacement array, count the number of letters in the entered word, and generate a random limited depth sequence. This yields a string that is used to look up the replacements. The arrays can be shifted, rebuilt, added to, or otherwise customized.

This version was just a tester, so I limited myself to a ternary.

For example, if we say this...
0 = force capital
1 = no change
2 = hacker script replacement

and enter 'mypassword', one possible combination generated is 2010022120 which gives a password of =YpAS2$o?D

That's a pretty strong password!

In the next version, I plan to allow the user to enter the lookup key and the plaintext word to back out the generated password. The idea is that it's easy to remember a plain text word, and the key can be written down with reasonable safety, as long as a decent plain text word or phrase is chosen. Like the Enigma machine, the key and the phrase are useless if taken separately.

At some point, however, the user must remember a password of some sort

Anyway, I just offered this explanation because I thought it was an interesting challenge one night, and it turned out to be fun *and* useful. The application itself is not in any way meant to be secure, but to help people remember passwords. At last count, I've got 9 different passwords that change every 3 to 12 months, at different intervals, and I can't write any of them down. This was a better alternative than trying to memorize a machine-generated code that does not use any recognizable pattern.

I hope you find a reasonable solution soon - I know it's frustrating at times trying to roll your own answer when just learning something!

Good luck

LinkBack

Thread Tools

Display

Random password generator?

Bookmarks

Bookmarks

Posting Permissions