Ticket #5401 (closed enhancement: fixed)

Opened 4 years ago

Last modified 4 years ago

Strengthen password generation, and make generation function pluggable

Reported by: pishmishy Owned by: pishmishy
Priority: normal Milestone: 2.5
Component: Security Version:
Severity: normal Keywords: password pluggable has-patch
Cc:

Description

Password generation currently uses code such as

substr(md5(uniqid(microtime())), 0, 6);

to generate passwords. This does produce a random string but the output is a hexadecimal representation of a number. This only features numbers and the characters "abcdef" reducing the search space of a six letter password over 3,000 times.

166 = 16777216 possible passwords

626 = 56800235584 possible passwords

I've written a function that draws a random string from this larger set of characters. In practise we may wish trim this a little so that users don't confuse O and 0, 1 and l etc. As with #2394 the new function is pluggable. It replaces the old style code used in new installs, password resets, new registrations and post-by-email passwords.

The attached patch also corrects some comments

Attachments

password-generation.patch Download (4.3 KB) - added by pishmishy 4 years ago.
Strengthens password generation

Change History

pishmishy4 years ago

Strengthens password generation

comment:1   pishmishy4 years ago

  • Owner changed from anonymous to pishmishy
  • Status changed from new to assigned

comment:2   lloydbudd4 years ago

  • Milestone changed from 2.5 to 2.4

comment:3   ryan4 years ago

  • Status changed from assigned to closed
  • Resolution set to fixed

(In [6385]) Pluggable random password generator from pishmishy. fixes #5401

Note: See TracTickets for help on using tickets.