Password Generator Script

[Jubatus]

Hello,

I got bored so I made a password generator script in a few minutes. All you have to do is put these codes in the correct file names.

index.php

Code:

<html>
	<head>
		<title>Password Generator Script</title>
	</head>
<body>
	
	<h2>Password Generator</h2><br />
	
	<form action="result.php" method="post" />Choose number<br />
		<input type="text" name="number" /><br />
		<input type="submit" value="Generate Password" />
	</form>
	
	
</body>
</html>

result.php

PHP Code:

$number = $_POST['number'];

switch($number)
{
    case 6:
    $string = "abc123";
    echo $string/2;
    break;
    
    case 7:
    $string = "abc1234";
    echo $string/2;
    break;
    
    case 8:
    $string = "abcd1234";
    echo $string/2;
    break;
    
    case 9:
    $string = "abcd12345";
    echo $string/2;
    break;
    
    case 10:
    $string = "abcde12345";
    echo $string/2;
    break;
    
    default:
    echo 'Invalid number.';
}
    $string_shuffled = str_shuffle($string);
    echo $string_shuffled;

?> 


[MentaL]

[jMerliN]

This is what will happen if you try to use one of these passwords:

[Jash]

At least randomize the characters

[TimeBomb]

PHP has a str_shuffle function? That's news to me. For some reason, it makes me hate PHP just a little bit more. I mean... how hard is shuffling a string yourself? :/. Meh.

Anywho, I'ma definitely agree with jMerlin.

[Jubatus]

This is what will happen if you try to use one of these passwords:

Why is that?

At least randomize the characters

That's what str_shuffle() does. It takes the string and scrambles it.

[Jash]

Why is that?

That's what str_shuffle() does. It takes the string and scrambles it.

When i said randomize the characters i don't mean scramble them. That means it doesn't have to contain only the characters a,b,c,d,1,2,3,4. The password string, when randomized correctly, should be capable of producing cryptographically secured random characters, something like UHas91NS, JS83NNw, 0SjIJ2ms, 92xm8Sd3. You get the idea.

By using your system, there will only be 6! + 7! + 8! + 9! + 10! possible combinations (assuming a cracker doesn't know the number of characters, but knows that there can only be 6 to 10 characters) which is rather easy to crack. However if you were to use a cryptographically secured random string, there will be 62^6 + 62^7 + 62^8 + 62^9 + 62^10 combinations.

If you compared the cryptographically secured random cryptosystem with your cryptosystem, it has 211270202026.6262640672055793% more combinations than your weak system. As a result, it requires an average of 211270202026.6262640672055793% more time to be cracked via brute forced as compared to your system, increasing it's complexity, making your system rather prone. To give you an idea of how bad it is, for every one password cracked in the cryptographically secured random cryptosystem, the same amount of computing power and time would have cracked 211270202026 passwords on your relatively weak cryptosystem.

Please note that the term "weak" here is not used offensively. It is merely a cryptography term that refers to a cryptosystem that can be easily broken with a complexity lower than brute force.

[Jubatus]

I totally agree. I wasn't really trying my best with this.

Would I be able to do it by using a hash function? Going to try.

[Gravious]

I think what Jash meant is something like this:

Code:

<?php
function generateRandomString($Length)
{
	$Characters = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-+";
	$Output = "";
	for ($i = 0; $i < $Length; $i++)
	{
		$Output .= $Characters[rand(0, strlen($Characters) - 1)];
	}
	return $Output;
}

echo generateRandomString(10);
?>

[Jubatus]

Thank guys. My PHP has improved.

[Vusion]

Written this a while back.

Code:

<?php
if(isset($_POST['gen']))
{
	$charset = "abcdefghijklmnopqrstuvwxyz0123456789" . (($_POST['symbols']) ? "~`!@#$%^&*()_+-./?><:;][}{\|" : "");
	
	if(empty($_POST['size1']) || empty($_POST['size2']))
		die("Fill in the fields.");

	if(!ctype_digit($_POST['size1']) || !ctype_digit($_POST['size2']))
		die("Numbers only.");
		
	$strLen = rand($_POST['size1'], $_POST['size2']);
	for($i = 0; $i < $strLen; $i++)
	{
		$charNum = rand(0, strlen($charset));
		$pass = $pass . $charset[$charNum];		
	}
	
	echo $pass;
}
?>
<form action="" method="POST">
	Password size between <input type="text" name="size1" size="1" /> characters and <input type="text" name="size2" size="1" />.<br />
	<input type="checkbox" name="symbols" /> With symbols <br /> <br />
	<input type="submit" name="gen" value="Generate" />
</form>

[Jash]

I totally agree. I wasn't really trying my best with this.

Would I be able to do it by using a hash function? Going to try.

A hash is basically a one way function that converts a given array of bytes to another. It is irreversible and when you wanna check if the array A matches with B, the password whose hash is stored in the database, you compare the hash of A with the hash of B. Its designed such that crackers will have to do some brute forcing to get the original password by generating the hashes of possible passwords and comparing them with the hash of B. But of course, if you limit the number of passwords then the possible number of combinations won't be that high either.
Thus, if a cracker has easy access to the stored passwords then a hash will really help a lot.

There is, however, a way to furthur increase security. (Here goes my lecture)
Imagine hashing a password many many times over (say, 100000 times). It'll require a lot more time to generate the hash for a single given password. Since its evident that the average time required to complete a brute force search increases linearly with the time required to compute the hash of a given string, an increase of the time required per computation will increase the average total time required. Which means that brute forcing through all the possible passwords available will be practically impossible if the time required per computation is sufficiently large enough. Just to give you an idea of how effective it is, an increase of time required per computation of 1 ms will increase the average total time required by 27031788.57 years if i didnt calculate wrongly.

Which is why i recommend using PBKDF/PBKDF2 (Password-Based Key Derivation Function), it not only allows you to choose the number of iterarions you want but also allows you to produce an array of bytes the length of your choice (for PBKDF i think its limited but not PBKDF2).

Sorry if my posts is too long, i get very emotional whenever i discuss about things :D

Sent from my LG-P500 using Tapatalk 2

[Jash]

I think what Jash meant is something like this:

Code:

<?php
function generateRandomString($Length)
{
$Characters = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-+";
$Output = "";
for ($i = 0; $i < $Length; $i++)
{
$Output .= $Characters[rand(0, strlen($Characters) - 1)];
}
return $Output;
}

echo generateRandomString(10);
?>

Yep, this will work pretty well :D (sorry i couldnt write my own, i suck at PHP ><)

Sent from my LG-P500 using Tapatalk 2