0

I did some research and all the method to generate passwords seems to include a 'random' part. What if I want to generate a password, secure as possible, with no random parts, so to be able to have a script generating it (again and again with the same result)?

Let's say in my website I have a user having username 'foo_bar'. Doing something like 

   hash('sha512', 'foo_bar'.'some_secret_word')

to generate his password could be the best way to proceed?

EDIT: I need my script to generate the same password giving it in input the same string, so everything involving rand() is not an answer

EDIT: Let's detail the problem. I have a long list of user data (username,email,address,etc) in a csv form. I have to import them inside my website (built on a CMS). I know how to import them, generating users, but I need to generate, by my own php, their password, in order to see them at any time, for I need to print the credentials to the users at different times. Generating passwords with any random element means not to be able to have and print the credential at any time. For some reasons, I can't simply generate them one time, store them somewhere and check later. Obviously, I can't generate password with a simple method like password='username_astring' for any user looking at his own password would know everyone else's password, so I was thinking a good way was using this method, but encrypting the string. However this idea seems not quite 'clean' to me and I was guessing if there is a more standard and clean solution.

Sasha Grievus
  • 2,566
  • 5
  • 31
  • 58
  • 5
    The random bit (salt) is part of what makes hashes secure. Please just use the [Password API](http://php.net/password) and stop trying to roll your own password workflow. – Jonnix Sep 09 '16 at 13:57
  • What do you mean by "safe"? – Scott Sep 09 '16 at 13:58
  • 1
    Are you trying to generate the password or generate a hash? It's not clear. – Machavity Sep 09 '16 at 14:02
  • @Scott By safe, I mean difficult to guess. I am not very into cryptography, and I would like to generate passwords that are not guessable like 'foo_bar_password'. At the same time, I don't need password strong enough to secure the Batcave. :) – Sasha Grievus Sep 09 '16 at 14:03
  • @Machavity Password. I'm sorry, but I don't really know what a hash or a salt is. – Sasha Grievus Sep 09 '16 at 14:04
  • Are you asking about automatically generating a for the user to use when he/she is logging in to your site, or are you asking about hashing an existing password to store in your database? – M. Eriksson Sep 09 '16 at 14:09
  • Truly, I have a long list of user data (username,email,address,etc) in a csv form. I have to import them inside my website (built on a CMS). I know how to import them, generating users, but I need to generate by my own their password in order to see them at any time, for I need to print the credentials to the users at different times. Generating passwords with any random element means not to be able to have and print the credential at any time. For some reasons, I can't simply generate them one time, store them somewhere and check later. – Sasha Grievus Sep 09 '16 at 14:17
  • 1
    I have an answer to this question - but can't submit because its closed. – Scott Sep 09 '16 at 14:26
  • 1
    @SashaGrievus if you need to know the credentials, you don't need a hashing algorithm you need two-way encryption. – Jeff Lambert Sep 09 '16 at 14:26
  • 1
    The issue with **not using `'some_secret_word'`** in the code means that if two or more people use the same password then it generates the same 'sha256' value. People tend to use 'easy to remember passwords' i.e. simple. So, crack one unsalted hash and everyone that use that password can be decrypted without any extra work. – Ryan Vincent Sep 09 '16 at 14:26
  • 1
    While I think the question is flawed and might not be what the user is looking for - the question is still valid and not a duplicate of "how to create a password". Its more likely a duplicate of "How do I encrypt a string?" in this case, the string would be username. – Scott Sep 09 '16 at 14:29
  • Yes, sorry, I think I explained all the issue in a bad bad way. It's more like that I need to 'encrypt a string with salt'. The fact I would use that as a password is not quite relevant. I'm getting the point only now, understanding the concept of hash. I'll check the two-way encryption thing. – Sasha Grievus Sep 09 '16 at 14:34
  • @Scott Yes, it's closed, but it wasn't me. Someone misunderstood the question, marking it as duplicate... – Sasha Grievus Sep 09 '16 at 14:37
  • @SashaGrievus Even clarified, though, it's still a duplicate, just of a different question. If you're wanting reversible encryption then you need to read [this question](http://stackoverflow.com/questions/16600708/how-do-you-encrypt-and-decrypt-a-php-string), which has probably the best answer you'll get on the topic anywhere – Machavity Sep 09 '16 at 14:57
  • @Machavity I still think it is not a duplicate. It's still more complicated than simple encryption. Encrypting doesn't solve totally the problem for an encrypted string, as you say, is reversible and, if reverted, could unveil the pattern behind the generation of all the other users password. I believe the problem is not trivial and could have not trivial answers still. – Sasha Grievus Sep 09 '16 at 15:17
  • why not? Doing it would cause problems? (Supposing the value hashed will be re-hashed at the moment to store it in the database as user password) It is not the standard way to deal with the problem, but could be suitable to solve my problem, anyway? – Sasha Grievus Sep 09 '16 at 21:51

1 Answers1

1

What you are referring to is the practice of salting passwords. You are correct in the idea, prior to the hashing algorithm being applied to the user's password a separate string is added on to it. What it is meant to protect against are so-called rainbow tables where attackers will precompute hashes of common passwords and compare those to hashed passwords from database dumps they have 'obtained'.

The best practice in this case is to not roll your own hashing algorithm. There's plenty of 3rd-party hashing libraries out there that are tried and tested and proven to be secure.

Barring that, best practice would be to generate a different salt for each different password (including password changes), which must then also be stored along with the password in order to check against authentication attempts.

Jeff Lambert
  • 24,395
  • 4
  • 69
  • 96