One way to generate a password...



  • At least it's indented correctly, unlike most of this developer's other code:

    function generate_password($length,$level){

       list($usec, $sec) = explode(' ', microtime());
       srand((float) $sec + ((float) $usec * 100000));

       $validchars[1] = "0123456789";
       $validchars[2] = "abcdfghjkmnpqrstvwxyz";
       $validchars[3] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
       $validchars[4] = "0123456789abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

       $password  = "";
       $counter   = 0;

       while ($counter < $length) {
         $actChar = substr($validchars[$level], rand(0, strlen($validchars[$level])-1), 1);

         // All character must be different
         if (!strstr($password, $actChar)) {
            $password .= $actChar;
            $counter++;
         }
       }

       return $password;
    }



  • @elitheeli said:

    At least it's indented correctly, unlike most of this developer's other code

    That means that he copied it from someone else.



  • Our place uses something similar when you call up and ask to have your password reset.

    What I don't get is - if they're going to force you to change your password in order to use it, and the only reason you know there's a problem is because you ARE trying to use it, why they just can't make it something like "changeme"



  • @snoofle said:

    Our place uses something similar when you call up and ask to have your password reset.

    What I don't get is - if they're going to force you to change your password in order to use it, and the only reason you know there's a problem is because you ARE trying to use it, why they just can't make it something like "changeme"

     

    Only problem I can see with that would be if someone managed to break into an account by using that password just as someone was having it changed, it could lead to some real problems.

    I know the chances of that are remote but still, a hole is a hole...



  •  @Master Chief said:

    @snoofle said:

    Our place uses something similar when you call up and ask to have your password reset.

    What I don't get is - if they're going to force you to change your password in order to use it, and the only reason you know there's a problem is because you ARE trying to use it, why they just can't make it something like "changeme"

     

    Only problem I can see with that would be if someone managed to break into an account by using that password just as someone was having it changed, it could lead to some real problems.

    I know the chances of that are remote but still, a hole is a hole...

    That's pretty much it.   Also factor in the incredible efficiency of those kinds of systems.  When I caled Time Warner to get my password reset, the phone guy told me he had to fill out a form (I asked and he confirmed that it was, in fact, a paper form), and submit it to the appropriate department for processing.  It was two days before I was notified of my new password.  If I had decided to take a couple days of vacation, it could have been a while before I saw their email.



  • @Master Chief said:

    @snoofle said:

    Our place uses something similar when you call up and ask to have your password reset.

    What I don't get is - if they're going to force you to change your password in order to use it, and the only reason you know there's a problem is because you ARE trying to use it, why they just can't make it something like "changeme"

     

    Only problem I can see with that would be if someone managed to break into an account by using that password just as someone was having it changed, it could lead to some real problems.

    I know the chances of that are remote but still, a hole is a hole...

     

    When is a hole not a hole?  When it's a backdoor!

    But seriously, I often wonder if these things were inserted on purpose by someone with penetration in mind.

     



  • @NullAndVoid said:

    When is a-hole not a-hole?  When it's a backdoor!

    But seriously, I often wonder if these things were inserted on purpose by someone with penetration in mind.

    I believe this is the hottest post I've ever read on TDWTF Forums. 



  • @morbiuswilters said:

    I believe this is the hottest post I've ever read on TDWTF Forums. 

    This explains so much...



  • @Jake Grey said:

    This explains so much...

    What does it explain, precisely? 



  • @Jake Grey said:

    @morbiuswilters said:
    I believe this is the hottest post I've ever read on TDWTF Forums. 
    This explains so much...
    We can beat this. Just talk about penetrating the firewall using a backdoor ... insert some lubricant jokes and make sure the firewall's name is Sarah Palin



  • @morbiuswilters said:

    @Jake Grey said:

    This explains so much...

    What does it explain, precisely? 

     

     Do you really want to know?



  • @snoofle said:

    Our place uses something similar when you call up and ask to have your password reset.

    What I don't get is - if they're going to force you to change your password in order to use it, and the only reason you know there's a problem is because you ARE trying to use it, why they just can't make it something like "changeme"

    Time for a serious answer: according to the PCI standards for security (with PCI being "Payment Card Industry"), new or reset passwords cannot be set to a single common value.  I don't know that the particular business was attempting to follow PCI standards, but following them isn't a bad idea.

    That particular code probably isn't the best I've ever seen, but that's outside the realm of my explanation.



  • @elitheeli said:

    // All character must be different
    Ermm... sure.



  • generate_password(11,1);

     

    (whistles innocently)



  • Oh, this one beats base64-encoding /dev/random's output and using that as the "password"...


Log in to reply