0

In php how can i generate a strong password using email ,current time etc.It should be atleast 45 character length.

whether generate_password(); is a good one?

i'm PosSible
  • 1,373
  • 2
  • 11
  • 30
user3398902
  • 13
  • 1
  • 7

2 Answers2

-1

use php's built in password_hash(). don't roll your own password hashing unless you are an expert.

for more info see:

http://www.php.net/manual/en/function.password-hash.php

if you absolutely must roll your own(or you are on windows and need something that is compatible with windows php), use some variant of crypt like what i use for devving on windows:

function generateHash($plainText, $encdata = false) 
{ 
    $strength = "08"; 
    //if encrypted data is passed, check it against input
    if ($encdata) { 
        if (substr($encdata, 0, 60) == crypt($plainText, "$2a$".$strength."$".substr($encdata, 60))) { 
          return true; 
        } else { 
          return false; 
        } 
    } else {     
        //make a salt and hash it with input, and add salt to end 
        $salt = ""; 
        for ($i = 0; $i < 22; $i++) { 
        $salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1); 
        } 
        //return 82 char string (60 char hash & 22 char salt) 
        return crypt($plainText, "$2a$".$strength."$".$salt).$salt; 
    } 
}

using this is fairly straightforward.

to hash a password do it like so

generateHash($password);

to check a password against a hash(such as the stored hash in a database for a user)

generateHash($password,$storedhash);

edit to generate a random password try this:

function generateString() {
    $string = "";
    for($i=0; $i < 44; $i++) {
        $x = mt_rand(0, 3);
        switch($x) {
            case 0: $string.= chr(mt_rand(97,102));break;
            case 1: $string.= chr(mt_rand(65,90));break;
            case 2: $string.= chr(mt_rand(48,57));break;
            case 3: $string.= chr(mt_rand(103,122));break;
        }
    }
    return $string;

}
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
r3wt
  • 4,642
  • 2
  • 33
  • 55
  • I think OP wants to generate password, not password hash :) – Ja͢ck Apr 03 '14 at 05:40
  • 2
    Also, `$2a$` is deprecated in favour of `$2y$` and it's recommended to use `openssl_random_pseudo_bytes()` or similar function to generate the salt. – Ja͢ck Apr 03 '14 at 05:43
  • you cant use openssl on windows. it results in the script executing until maximum execution time is reached(or it did last time i checked). – r3wt Apr 03 '14 at 05:46
  • 2
    Then your installation is b0rked, OpenSSL works fine on Windows. – Ja͢ck Apr 03 '14 at 05:47
-2

There are many way to do this but I found a very simple method which can generate strong password of any length. This method is based on str_shuffle() function which randomly shuffles a string.

<?
    function generate_password( $length = 8 ) {
       $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_-=+;:,.?";
       $password = substr( str_shuffle( $chars ), 0, $length );
       return $password;
    }
?>

To generate random password simply pass the desired length of password in this function. If you omit length parameter then it will generate 8 character long password by default.

$password1 = generate_password(); // default length 8
$password2 = generate_password(6); // 6 character long password

generate_password() is simple but, If you want to strong password then try to Hashing algorithm for it.

You could add a key to your hash and send the timestamp with the query, e.g.:

$time = time();
$hash = md5($key . $time);

you can also use hash_hmac():more detail LINK

$password = hash_hmac('sha256', $username . time(), 'secret');
i'm PosSible
  • 1,373
  • 2
  • 11
  • 30
  • `str_shuffle()` uses `rand()` internally, so I wouldn't suggest using this. – Ja͢ck Apr 03 '14 at 05:46
  • ya also use this bt also `mt_rand()` is good one.but is better on integer value. – i'm PosSible Apr 03 '14 at 05:58
  • Don't use `str_shuffle()` to generate passwords. If your input string contains each character only once, the resulting password will use each character only once, providing a very low entropy value. Also, note that `mt_rand()` is also a poor choice for cryptographic use. Use `openssl_random_pseudo_bytes()` instead. See note at http://us2.php.net/manual/en/function.mt-rand.php#refsect1-function.mt-rand-notes – Quinn Comendant Nov 15 '14 at 14:18
  • Your $chars contain vowels. If you do not remove the vowels, then your password will contain selatious words and phrases, and cursewords. Also, you state this is "strong". This is not a "strong" password because of what @QuinnComendant mentioned about your resulting password containing each character only once. –  Sep 15 '19 at 19:05