Browse Source

make_password: generate longer passwords by default, use better random function if available

Andrew Dolgov 8 months ago
parent
commit
16a9bdc387
3 changed files with 14 additions and 7 deletions
  1. 2 2
      classes/pref/users.php
  2. 1 1
      include/functions.php
  3. 11 4
      install/index.php

+ 2 - 2
classes/pref/users.php

@@ -231,7 +231,7 @@ class Pref_Users extends Handler_Protected {
 
 		function add() {
 			$login = trim(clean($_REQUEST["login"]));
-			$tmp_user_pwd = make_password(8);
+			$tmp_user_pwd = make_password();
 			$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
 			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
 
@@ -283,7 +283,7 @@ class Pref_Users extends Handler_Protected {
 				$login = $row["login"];
 
 				$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
-				$tmp_user_pwd = make_password(8);
+				$tmp_user_pwd = make_password();
 
 				$pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
 

+ 1 - 1
include/functions.php

@@ -737,7 +737,7 @@
 		}
 	}
 
-	function make_password($length = 8) {
+	function make_password($length = 12) {
 
 		$password = "";
 		$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ";

+ 11 - 4
install/index.php

@@ -55,21 +55,28 @@
 		//
 	}
 
-	function make_password($length = 8) {
-
+	function make_password($length = 12) {
 		$password = "";
 		$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ*%+^";
 
-	$i = 0;
+		$i = 0;
 
 		while ($i < $length) {
-			$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
+
+			try {
+				$idx = function_exists("random_int") ? random_int(0, strlen($possible) - 1) : mt_rand(0, strlen($possible) - 1);
+			} catch (Exception $e) {
+				$idx = mt_rand(0, strlen($possible) - 1);
+			}
+
+			$char = substr($possible, $idx, 1);
 
 			if (!strstr($password, $char)) {
 				$password .= $char;
 				$i++;
 			}
 		}
+
 		return $password;
 	}