Opened 17 years ago
Closed 17 years ago
#5401 closed enhancement (fixed)
Strengthen password generation, and make generation function pluggable
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 2.5 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | password pluggable has-patch |
| Focuses: | Cc: |
Description
Password generation currently uses code such as
substr(md5(uniqid(microtime())), 0, 6);
to generate passwords. This does produce a random string but the output is a hexadecimal representation of a number. This only features numbers and the characters "abcdef" reducing the search space of a six letter password over 3,000 times.
166 = 16777216 possible passwords
626 = 56800235584 possible passwords
I've written a function that draws a random string from this larger set of characters. In practise we may wish trim this a little so that users don't confuse O and 0, 1 and l etc. As with #2394 the new function is pluggable. It replaces the old style code used in new installs, password resets, new registrations and post-by-email passwords.
The attached patch also corrects some comments
Strengthens password generation