Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88683 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63815 invoked from network); 5 Oct 2015 15:34:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Oct 2015 15:34:30 -0000 Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.215.44 cause and error) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.215.44 mail-la0-f44.google.com Received: from [209.85.215.44] ([209.85.215.44:35524] helo=mail-la0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 77/20-61918-28892165 for ; Mon, 05 Oct 2015 11:34:29 -0400 Received: by laag4 with SMTP id g4so1171679laa.2 for ; Mon, 05 Oct 2015 08:34:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=AGy7v1r62vRjQJoHMjhqNr6bRiFHf7YQiCZl9halJJk=; b=NPH7w/dTlPbg0/Jy3D3A3+nhaAvRtNpqvOCKt7Y2yeXmpu5FwaJtLM/YfoF2sIjFzr uYd8Tk+x5ziiYpGhTo4EzsTRyMEEKe6rZMeDzUhJdFGk1zRCe7h5Zt612ORbG3A9HwaV dRiOWgNljjeNDGdSX0YFMnh8lT6elnvoK44l2EbAYk2K1Kpy3F/0Ol7hMuCGBo8n9YMs qZ2RV1a7wbPlUgm89pg7FXlny80cW9pIyl5wAYODWEn/mwWATln4za9YXJt34Y5Kvbjj My3swC3RqLwELABXXRf+xJ2gxlVaCQPgfTTJ7FPL5uXs0ogrTANHLYSToHv8oOFPDiQn 1/pQ== X-Gm-Message-State: ALoCoQmFU0r14+4XkJmxl1FlBnLtuB4nP7caelNeYrGK0GVce4xgcXDh5wNbBT+lJiFJgAEDuwlv MIME-Version: 1.0 X-Received: by 10.112.198.97 with SMTP id jb1mr11828688lbc.8.1444059263847; Mon, 05 Oct 2015 08:34:23 -0700 (PDT) Received: by 10.114.79.105 with HTTP; Mon, 5 Oct 2015 08:34:23 -0700 (PDT) In-Reply-To: <560EF2AE.4080502@thefsb.org> References: <560EF2AE.4080502@thefsb.org> Date: Mon, 5 Oct 2015 11:34:23 -0400 Message-ID: To: Tom Worster Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: PHP 7.1 - should we add a random_str() function? From: scott@paragonie.com (Scott Arciszewski) On Fri, Oct 2, 2015 at 5:10 PM, Tom Worster wrote: > I screwed up sending this earlier. Sorry if you get this twice. > > On 9/30/15 12:15 PM, Scott Arciszewski wrote: >> I think random_bytes() and random_int() are great; they provide a >> much-needed building block in PHP 7.0. However, I do worry a bit that >> the most common use for random_int() (generating a random string of a >> fixed length with a given character set) will be reinvented over and >> over again, and rarely consistently. > > On one had I agree that it's a common use and put a method in Yii2's > Security component for it (albeit less general then your proposal). But I'm > not sure the motive you gave is sufficient to put it in PHP core. > > We should be less concerned about people reinventing it over and over than > people getting it wrong. The SO answer you referenced expresses exactly this > concern. This was the motive for the new random functions and the password > hash functions. It's a good argument. > > >> I would propose a random_str() function that behaves similar to this >> userland snippet: http://stackoverflow.com/a/32870871/2224584 >> >> Function prototype: >> >>> string random_str( int $length, string $charset) >> >> Would return a string or throw an Error|Exception (e.g. invalid input >> parameters, or the operating system's CSPRNG begins to melt). > > If the problem is poor algorithms generating random strings that get "used > for anything remotely analogous to a password" then I think this is not > enough to be a solution. I think a class is needed that can do more > including: > > - Unicode characters. The $random_str .= $charset[$r]; line in the snippet > you referenced implies a rather parochial tacit assumption. Passwords aren't > always limited to Basic Latin. > > - Constraints such as: exclude easily confusable characters such as 0 and O, > at least one digit, pronounceable, and things like that > > - Choosing from a set of words (Diceware) > > From my own interactions with others, I know that people who shouldn't do in > fact attempt to implement this kind of stuff. And that's to be expected > because PHP apps very often need it. > > > >> I can write up an RFC for this, with a patch targeting 7.1, if anyone >> is interested in it. >> >> Scott Arciszewski >> Chief Development Officer >> Paragon Initiative Enterprises >> > You mentioned diceware. Incidentally, https://paragonie.com/blog/2015/07/common-uses-for-csprngs-cryptographically-secure-pseudo-random-number-generators#diceware Some problems (i.e. random_int) should be fixed at a language level. Others, through education. In the end, this might be an education issue. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises