Ticket #5401 (closed enhancement: fixed)

Opened 8 months ago

Last modified 7 months ago

Strengthen password generation, and make generation function pluggable

Reported by: pishmishy Assigned to: pishmishy
Priority: normal Milestone: 2.5
Component: Security Version:
Severity: normal Keywords: password pluggable has-patch
Cc:

Description

Password generation currently uses code such as

substr(md5(uniqid(microtime())), 0, 6);

to generate passwords. This does produce a random string but the output is a hexadecimal representation of a number. This only features numbers and the characters "abcdef" reducing the search space of a six letter password over 3,000 times.

166 = 16777216 possible passwords

626 = 56800235584 possible passwords

I've written a function that draws a random string from this larger set of characters. In practise we may wish trim this a little so that users don't confuse O and 0, 1 and l etc. As with #2394 the new function is pluggable. It replaces the old style code used in new installs, password resets, new registrations and post-by-email passwords.

The attached patch also corrects some comments

Attachments

password-generation.patch (4.3 kB) - added by pishmishy on 11/29/07 15:41:18.
Strengthens password generation

Change History

11/29/07 15:41:18 changed by pishmishy

  • attachment password-generation.patch added.

Strengthens password generation

11/29/07 15:43:57 changed by pishmishy

  • owner changed from anonymous to pishmishy.
  • status changed from new to assigned.

11/30/07 20:43:26 changed by lloydbudd

  • milestone changed from 2.5 to 2.4.

12/15/07 05:31:16 changed by ryan

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [6385]) Pluggable random password generator from pishmishy. fixes #5401