The same applies when a larger random integer is used, but there is less bias. There are only two byte values that will generate 66 through 94: N and N+95 (not N+95+95 because 66 + 95 + 95 = 256, which is more than one byte). There are 3 possible byte values that will generate 0 to 65: N, N+95, and N+95+95. Unless the number of possible random integers is a multiple of N, some characters will have a higher chance of being picked than others.įor example, if number between 0 and 94 is generated by taking the remainder of a random byte divided by 95, the numbers 0 to 65 have a higher chance of being picked than the numbers 66 to 94. Second, it uses a large random integer to select from a set of N elements by computing the remainder of the random integer divided by N. The following seems to be the most common naive solution: In PHP, the operating system's CSPRNG can be accessed with the mcrypt_create_iv function. CSPRNGs are unpredictable and incorporate randomness from the physical world (mouse movements, key presses, network packets) into their large internal state. Worse, since PRNGs are not designed for security, they are often seeded with easy-to-guess values, such as the current time, making their states extremely easy to guess.Ĭryptographically secure random number generators (CSPRNG) must be used to generate passwords.
PHP RANDOM PASSWORD GENERATOR CRACK
Weak PRNGs usually have a small state (32 bits, for example), which allows an attacker to crack a password generated by the PRNG, quickly, by guessing the state of the PRNG rather than guessing the password itself. The passwords generated by a PRNG can only be as secure as the PRNG's initial state.
Given some of their output, it is easy to figure out their internal state, which can be used to predict their future output. They are designed so that their output looks statistically random, but they make no effort to be unpredictable.
Psudeo-random number generators such as mt_rand are not sufficient for generating passwords.
PHP RANDOM PASSWORD GENERATOR GENERATOR
We start by discussing a few common, but incorrect, ways of generating passwords, then provide a secure password generator class for PHP.Ĭommon Mistakes Weak Psudeo-Random Number Generator (PRNG) These biases make the passwords significantly easier to crack. Most naive solutions, such as taking the remainder of a random integer or shuffling a string, lead to biases in the passwords. Generating unbiased random passwords is a surprisingly non-trivial problem.
0 kommentar(er)
