Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61320
Return-Path: <ajfweb@googlemail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30420 invoked from network); 16 Jul 2012 15:50:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jul 2012 15:50:49 -0000
Authentication-Results: pb1.pair.com header.from=ajfweb@googlemail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ajfweb@googlemail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 74.125.82.170 as permitted sender)
X-PHP-List-Original-Sender: ajfweb@googlemail.com
X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com  
Received: from [74.125.82.170] ([74.125.82.170:54194] helo=mail-we0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5A/74-09344-75834005 for <internals@lists.php.net>; Mon, 16 Jul 2012 11:50:48 -0400
Received: by weyr1 with SMTP id r1so4471640wey.29
        for <internals@lists.php.net>; Mon, 16 Jul 2012 08:50:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=JrFdyFvzWsBn3Le5wqnfIbfb9OGmRwoEJdYw62DZ7PI=;
        b=DhJptiwYmfsDri0ie+lu05UEMAF0jrp8XX+WLj8uFtZdo3nAWuR/EDnv3/rP5l4c3F
         VX2rH0tgLCOaUq/LaiVCVIIzh6FSbCP2mwE1o7vMDr4bAB/m759n1FGvPwVjC3FSKWZo
         ByO3gkIxD1tNTeiq+a+waOJ319zqWWcvxEii95IJiaDNw+RrUybjJpWrfoEQSabMAtMW
         fIfJWVwbeYTPzIIp9yQsnxzVFBbla1EzdrYyfxufx6g69MwRlRD296CKflFA2MCK/GTc
         3X8LswG71soaV56V7uB4UC0pOLLtBNtDTd7PBjgeJ080LPaemEe/fH6HjzQbDXmUCgVl
         XhpQ==
Received: by 10.216.92.133 with SMTP id j5mr6055141wef.38.1342453844812; Mon,
 16 Jul 2012 08:50:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.71.199 with HTTP; Mon, 16 Jul 2012 08:50:24 -0700 (PDT)
In-Reply-To: <CAKZjf5SUR_Tt4Y4jwK2oYgYusBq4dGvQ75YLOOf8J=kDD=nmDw@mail.gmail.com>
References: <CAF+90c9c-LuEzXyWJYfkQ5ycNYYRTqBB+0NhZDEkhGeQQaeEpw@mail.gmail.com>
 <CAN+gjSe7OR2S0gUON27_thx4dPPvsnj_24a4dxfieL_0mzvFZg@mail.gmail.com>
 <CAAyV7nHz_0HEV3_E2qJzYMvKUZUzz3vui-2vHZbH=hu3wBLXSQ@mail.gmail.com> <CAKZjf5SUR_Tt4Y4jwK2oYgYusBq4dGvQ75YLOOf8J=kDD=nmDw@mail.gmail.com>
Date: Mon, 16 Jul 2012 16:50:24 +0100
Message-ID: <CAN+gjSdJVhQ1HvprZSbZgFUNJyYJRb2Uz4wzHqO03Vs+Xx7KVQ@mail.gmail.com>
To: Alex Aulbach <alex.aulbach@gmail.com>
Cc: Anthony Ferrara <ircmaxell@gmail.com>, Nikita Popov <nikita.ppv@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: =?UTF-8?Q?Re=3A_=5BPHP=2DDEV=5D_Random_string_generation_=28=C3=A1_la_passwo?=
	=?UTF-8?Q?rd=5Fmake=5Fsalt=29?=
From: ajfweb@googlemail.com (Andrew Faulds)

On 16 July 2012 16:32, Alex Aulbach <alex.aulbach@gmail.com> wrote:
> I like it. I've looked in some code and found about 8
> password-generation-functions. 4 of them have more or less the same
> idea behind.
>
> The rest generates more complicated password. E.g. "minimum one
> digit", "First letter must be alphabetic". This is easy to implement.
> Some generate passwords from syllables (don't ask, no one does that
> anymore).
>
>
> Three suggestions:
>
>
> 1a) If you want to support character classes, you can do it with pcre:
> http://www.php.net/manual/en/regexp.reference.character-classes.php
>
> The idea is the following:
>
> pseudofunction random_string($len, $characters)
> {
> ....
> $set = '';
> if ($characters "look like a RE consisting of just one character-class") {
>   foreach ($charset as $char) {
>      // If the regex matches one of the chars, it is in the character class!
>      if (preg_match($characters, $char)) {
>          // add char to $set
>          $set .= $char;
>      }
>   }
> } else {
>   $set = $characters;
> }
> ....
>
>
> -- "look like RE consisting of just one character-class" : something
> like "/^\/\[.*\]\/[^/]*$/s" - not tested this, but explained: search
> for "/[...]/...". Some cases here are untested ([, ] and so on), needs
> more thinking, when I have time, but will be enough for prove of
> concept. Making it easier is always possible.
> -- $charset : The chars from 0 to 255.
>
> With this you can avoid to parse or define the character-classes
> yourself and it is normally fast enough. If you want to have it faster
> see suggestion 3.
>
>
> 1b) And it has some more functionality: For germans the alphabet
> constists out of 30 chars. PCRE normally considers this! [:alpha:] for
> german locals differs from [:alpha:] for english.
>
> Is this wanted? I think, the localisation should be by default off;
> nobody really needs to generate passwords with umlauts.
>
>
> 1c) For the standard cases like "a-zA-Z0-9" etc. constants could be useful.
>
>
>
> 2. Whats about Unicode? Do Japanese people want to have japanese passwords?
>

No, Japanese and Chinese are entered using IMEs and would be
impractical to use in passwords.

Russian though, maybe. However I think most passwords are alphanumeric.

Besides, this isn't to generate passwords, it's to generate salts and
other random strings.

>
> 3. Because generating a string from character-classes is very handy in
> general for some other things (many string functions have it), I
> suggest that it is not part of random_string(). Make a new function
> str_from_character_class(), or if you use pcre like above
> pcre_str_from_character_class()?
>
>
> --
> Alex Aulbach



-- 
Andrew Faulds (AJF)
http://ajf.me/