Strengthen password generation, and make generation function pluggable
|Reported by:||pishmishy||Owned by:||pishmishy|
|Component:||Security||Keywords:||password pluggable has-patch|
Password generation currently uses code such as
substr(md5(uniqid(microtime())), 0, 6);
to generate passwords. This does produce a random string but the output is a hexadecimal representation of a number. This only features numbers and the characters "abcdef" reducing the search space of a six letter password over 3,000 times.
166 = 16777216 possible passwords
626 = 56800235584 possible passwords
I've written a function that draws a random string from this larger set of characters. In practise we may wish trim this a little so that users don't confuse O and 0, 1 and l etc. As with #2394 the new function is pluggable. It replaces the old style code used in new installs, password resets, new registrations and post-by-email passwords.
The attached patch also corrects some comments