- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
PHP runs on MVS?
This does what it claims to. It does so stupidly, but it works. (I don't have PHP installed, so I changed a couple things to run it in perl)
Admin
My first post.. and im ready for the slang..
function GenPswd($nlen, $usealpha = true, $usenumeric = true) { $disallow = 'ILOQZiloqz'; if ($usealpha){ for ($n=65;$n<=90;$n++) { $allow .= chr($n); } for ($n=97;$n<=122;$n++) { $allow .= chr($n); } } if ($usenumeric || !$usealpha){ for ($n=0;$n<=9;$n++){ $allow .= $n; } } $allow = str_replace(preg_split('//',$disallow),'',$allow); while (strlen($pwd) < $nlen) { $n = rand(0,strlen($allow)); $pwd .= substr($allow,$n,1); } return $pwd; }doesn't waste loops?
Admin
It would have to be extremely bad luck, an extremely long password, or generating a ton of passwords (most likely, this function is being called once in a while). The probability of getting a valid character, even with the most restrictions, is a bit under 1/6. In actual practice, a password will be generated in a negligible amount of time (to human perception). In 100 attempts, the odds of not generating a valid character is around 2.3 x 10^-8 (well, if the numbers were truly random--but you get the idea).
Of course, this is not to say this function is any good!
Admin
Common mistake. Many people fail to realize the difference between picking a random value and selecting a unique random item from a finite list. The first is truly random, who cares if an item was picked before or not.
The second you need a list, randomly pick one and remove it from the list. As you randomly pick one the list grows shorter. There is no degradation in performance here.
Admin
Likewise... but I notice that when I call with $usealpha false, the passwords it generates still contain the occasional capital I. Even though I is in $disallow, and even though the comments seem to be suggesting it wants to disallow I because it could be confused for 1. Weird.
BTW, calling false, false for $usealpha , $usenum seems to behave identically to calling it with false, true.
Oh, I just figured out why I's slip in there:
!strpos($disallow, chr($n))
will evaluate true if strpos($disallow, chr($n)) returns 0, and I is in the 0th position in $disallow.
Ha ha!
Admin
false, false would result in an infinite loop with no letters or numbers being valid (except the I which dozens of people already mentioned). In the comment header block, the programmer notes that false for $usealpha, indicates to ignore $usenum and set it to true.
Admin
Definatelly wtf code...
Even though it works, it's still wtf code...
Admin
Write down passwords? Just use email or IM, then you can directly paste the password into your passwords.txt file that is on your desktop. Copy and paste the password in whatever app needs it.
Very long passwords can be used for high security, because you never actually have to type them. ;)
Admin
There is no infinite loop, since the I can be added (as only char). If the strpos was done correctly, then it would be an infinite loop when called with false,false
Admin
Aside from the general yuckyness of the code itself, in my view this kind of randomly generated password actually weakens security. As has been pointed out, no one can remember a password like 1wbZtY9, so it gets written down, stored in a text file or changed to "rosebud". I generally use a couple of random words picked from /usr/dict/words plus a random numeral. This approach is more memorable and occaisionally quite funny. Not very funny, but still sort of funny.
Admin
I just thought I should point this out... in the documentation:
// usenumeric - Boolean argument that specifies whether to use // numeric digits in the password. True - password // will contain numeric digits. False - password // will only contain alpha characters. Ignored if // usealpha is false, so if both are false, // passwords will be numeric only.
$usealpha and $usenumeric are behaving as intended (other than the capital i)
Admin
Obligatory Prolog solution:
Tested lightly in SWI-Prolog.
Admin
Nah, just cycles... :)
Admin
I just said it wouldn't be an infinite loop in the same sentence, but you cut off the end when you quoted me jackass.
If strpos was done correctly it STILL wouldn't infinite loop because when $usealpha is set to false, $usenum is set to null. The programmer specifically avoided this case and false, false doesn't exist. I also mentioned this in my post. What did you do - read the first 15 words, go to the bathroom, forget to read the rest of my post and then reply?
Admin
define( 'PASS_BIG_LETTERS', 1 ); define( 'PASS_SMALL_LETTERS', 2 ); define( 'PASS_LETTERS', PASS_BIG_LETTERS | PASS_SMALL_LETTERS ); define( 'PASS_DIGITS', 4 ); define( 'PASS_ALPHANUMERIC', PASS_LETTERS | PASS_DIGITS ); function GenPass( $Length, $CharsClass = PASS_ALPHANUMERIC, $Others = '' ) { $Disallow = 'ILOQZiloqz0'; // Disallowed characters $Chars = array(); if( $CharsClass & PASS_BIG_LETTERS ) $Chars = array_merge( $Chars, range( 'A', 'Z' ) ); if( $CharsClass & PASS_SMALL_LETTERS ) $Chars = array_merge( $Chars, range( 'a', 'z' ) ); if( $CharsClass & PASS_DIGITS ) $Chars = array_merge( $Chars, range( '0', '9' ) ); if( !empty( $Others ) ) $Chars = array_merge( $Chars, str_split( $Others ) ); $Chars = array_diff( $Chars, str_split( $Disallow ) ); shuffle( $Chars ); return implode( array_slice( $Chars, 0, $Length ) ); }Admin
The really sad part is that it could have been easily done using PHP's unique id function that generates such randomness in a 32 character response. Parse it out how you see fit, but it in itself takes are fraction of a second to run..
Admin
I think the WTF is that a particular php script is likely to call GenPswd exactly once. If GenPswd is the only thing in the script that calls rand, and if rand's seed is initialized the same for every execution of the script, then it generates the same password every time. (I could be wrong, I don't know any PHP, but on every system I've ever used you have to do something special to get rand not to generate the same sequence for every run.)
Admin
Or it should replace those posts with random snippets from the CSOD library. Imagine that:
"Captcha was hilarious" gets changed to:
"Why not just replace this with:
If ex.Message = "Invalid column name Result'." Then If n = 0 Then n = n + 1 GoTo CloseCmd Else Continue For End If End IfThat would be comedy gold.
I actually didn't know this site HAD captchas. I registered before post 0x01.
Admin
OK, something I don't know about. It's the first time I read about ASCII vs EBCDIC. I'll look into that stuff soon.
Thanks for the comment.
Captcha: Smile (yes, have a nice weekend too)
Admin
$a = $usealpha ? "A-Za-z" : ""; $n = $usenum ? "0-9" : "";
...no, best not to take that any further.
Admin
Another approach:
function GenPass( $NumOfBigLetters, $NumOfSmallLetters, $NumOfDigits, $NumOfOthers = 0, $Others = '' ) { $Disallow = str_split( 'ILOQZiloqz0' ); // Disallowed characters $Pass = array(); if( $NumOfBigLetters ) { $Chars = array_diff( range( 'A', 'Z' ), $Disallow ); for( $i = 0; $i < $NumOfBigLetters; ++$i ) $Pass[] = $Chars[array_rand($Chars,1)]; } if( $NumOfSmallLetters ) { $Chars = array_diff( range( 'a', 'z' ), $Disallow ); for( $i = 0; $i < $NumOfSmallLetters; ++$i ) $Pass[] = $Chars[array_rand($Chars,1)]; } if( $NumOfDigits ) { $Chars = array_diff( range( '0', '9' ), $Disallow ); for( $i = 0; $i < $NumOfDigits; ++$i ) $Pass[] = $Chars[array_rand($Chars,1)]; } if( $NumOfOthers && !empty( $Others ) ) { $Chars = array_diff( str_split( $Others ), $Disallow ); for( $i = 0; $i < $NumOfOthers; ++$i ) $Pass[] = $Chars[array_rand($Chars,1)]; } shuffle( $Pass ); return implode( $Pass ); }Admin
Assuming ASCII this also injects characters between '9' and 'A' (:;<=>?@) and 'Z' and 'a' ([]^_`) into the password which is obviously unintended since it's supposed to be alpha-numeric. Besides that, the hard to read logic (even though it's correct), the strpos mistake, and the mathematically possible infinite loop all add up to make it a WTF. The people going "well I used it and it works" are the type of people to write such horrible code and then shrug when someone points it out to them: "Hey, it works doesn't it?" when that's not the point at all.
Admin
Using shuffle, not bad, but you'd have to shuffle repeatedly and take the first character and append it to $pwd ;-)
Admin
I always used to create passwords with a syllable-generation system. A selection of consonants (selected both to avoid confusion and to guarantee nobody ever got a naughty word) was alternately combined with vowels to produce always-pronounceable passwords. This meant you never had to write them down.
While it was less secure than a system which generated 12-character alphanumerics, it allowed us to be draconian and evil enough about written passwords that they simply never happened. While it's massively easier to brute-force a 125,000 possibility keyspace, that's still massively harder than grabbing a Post-It on the way past someone's monitor.
Security's always a balance.
Admin
I'm no PHP coder but I don't think you have to something to make rand create random numbers (judging from the PHP manual):
"Note: As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically."
And yeah the code is inefficien, bloatedand && strpos($disallow, chr($n))) should have been && (strpos($disallow, chr($n))) === false)
BUT where the fuck are the real WTFs does no one write real horrible code anymore or what? Because this is IMHO only a minor wtf.
Admin
Ruby golf version
def random_pass(length, validator) (' ' * length).split('').map { |c| while (!(c =~ validator)); c = (rand(94) + 33).chr; end; c }.join('') end
test it...
puts random_pass(10, /[a-zA-Z0-9]/)
Admin
Mmm. A built-in source of non-reproducability -- one of my favorites. That's gonna make debugging fun.
Admin
Off the top of my head:
*) no check for password length. A zero length password is useless, as is a 1e10 length password.
*) no check for duplicate characters. 112233 (while highly unlikely) is still a bad password.
*) no support for non-alphanumeric characters. I understand this was intentional, but i still think it's wise to include various acceptable characters.
*) As mentioned before, the blacklist approach is highly inefficient (should have used a whitelist approach) and the code is definitely more complex than it needs to be.
The capital I problem is likely just unfamiliarity with php (or lack of research). I would guess this person is just a newbie. Not particularly WTF. I certainly wouldn't use that if i had the choice though...
Admin
captcha: just kidding.
Admin
If there's one thing worse than random passwords for users who just want to get in, it's having stronger requirements for the username than most systems have for the password. In my first week of using the new site for my mastercard I'm on my second account (did I mention that when i have to put in my favorite pet/vacation place/programming language I make up the answer?).
Admin
There's only three possible blacklists; easier and more efficient to define them as constants instead of generating them for every call.
The maxord and minord values can be based of the usealpha and usenumeric parameters to reduce the number of invalid characters.
Overall, it's not the best of code but it's not the worse of code. Certainly not a WTF or even worse than failure; more like an average failure.
Admin
The Real WTF is people commenting on the lack of optimization of the code. They are the root of all evil.
if(isAdmin) pswd="wigwam"; else { if( rand() < 0.5 ) pswd = "password"; if( rand() < 0.5 ) pswd = "bob"; } return pswd;
Admin
unomi: passwords generated by your code don't have enough entropy as each character has probability 1/3 of being a digit, while it should be 10/(26+26) (minus number of disallowed chars that i am too lazy to count). The best in my opinion is to create a white list and take from that.
Peter R.: in your first approach you only allow a given char to appear once (putting an upper limit on password length but who needs an over sixty char password). Also, shuffling the entire array is a waste of cycles if you're making a comparatively short password. Your second approach is better but forcing the caller to choose number of letters and digits is not cool. Best would be IMO to create a string (or array, if you want) with all allowed chars and then pick random chars from it.
anonymouse:
Come on, the function does what it is asked to do, it is not its business to check the arguments make sense. It's as if an implementation for the multiplication operator refused to multiply by zero, arguing that it's silly as it always returns zero.
For your second point, rejecting duplicate characters decreases the entropy of the password so I wouldn't say it's a good thing. If a password is generated randomly, rejecting a password for any reason is bad for that reason. E.g. "mypassword", "1111111111" and "g9syKcEd23" have precisely the same probability to be produced by that algorithm (assuming the random number generator is working properly) so a dictionary attack has no reason to try one of these three rather than an other.
EDIT: fixed typo
Admin
So it's not a WTF, and the poster doesn't even explain why they think it's a WTF, other than say "go through the code". Weak. It works, and does what it advertises. It's not the best code, but finding badly-written code written in PHP is like finding flies in a field of dung.
Admin
Admin
I can't believe the amount of people here saying this code "isn't that bad" or "does what it's meant to do." Are you all insane?
The passwords generated have a 32-bit keyspace! A brute force attack will take no time at all to crack any password generated this way.
For the love of God, if you looked at the code and didn't think it was deeply, deeply wrong and perverse, stay the hell away from any security-related programming.
Admin
Admin
I thought the most commonly used password was "ChuckNorris". Oh wait, in a sense it is.
Admin
Do you know what the password will be used for? If it's for your average blog or forum then the password generator is fine. Not everything needs to be built for Fort Knox.
Admin
two times have i been required to have an incredibly secure password (both involved PGP to some degree), and both let me know how i was doing. i remember somewhere that [email protected] is a good password (and easy as pie to remember)
I set up a wireless network with the password: iamthirteenhaha And it still hasn't been cracked. I give it a shot sometimes, but to no avail.
I think if you're on a linux system, and you passwd <username> yourself and change your password, and it doesn't complain about it, you're in good shape. for now.
Admin
It's not exactly what I'd call efficient code, but it does provide pretty random passwords per spec:
print Genpswd(8, true, true) . "\n"; print Genpswd(8, true, true) . "\n"; print Genpswd(8, true, true) . "\n"; print Genpswd(8, true, false) . "\n"; print Genpswd(8, true, false) . "\n"; print Genpswd(8, true, false) . "\n"; print Genpswd(8, false, true) . "\n"; print Genpswd(8, false, true) . "\n"; print Genpswd(8, false, true) . "\n";
?>
^Z 4rkKtra1 vB8hjJ1B 1gvgkpxU GFAurtST IYmwhpeg IxvmvnJy 62252I5I 510I4031 79274081
No number-character ambiguities in the alphanumerics, quite random, it does the job. Considerably better than the Captcha software, which gives any decent robot at least a 1/30 chance of posting successfully. Maybe the site isn't juicy enough for robots to target?
Admin
...and what relation does this bear to the efficiency, coding style, or output of hand-hacked password code?
Admin
It may put an I in there... but that's more of an 'oh noes!' then a WTF, or even a Worse Than Failure™
They're obviously getting lazy since they realized all they have to do is plop any old code they can find in and some of the comments will be pure WTF gold.
Admin
It may put an I in there... but that's more of an 'oh noes!' then a WTF, or even a Worse Than Failure™
They're obviously getting lazy since they realized all they have to do is plop any old code they can find in and some of the comments will be pure WTF gold.
Admin
mine is more of a WTF than that...
[code] using System; using System.Collections.Generic; using System.Text;
namespace PwdGen { public class Foo { public static string RandomPassword() { string ret = "";//should be StringBuild WTF for (int i = 0; i < 16; i++) { if (i < 7) { char c = GetChar(); while (c == char.MinValue) c = GetChar();
} [/code
Admin
crude I can see that I need to login.... ]
Admin
Specifically this bit just before the disallowed character check.
Admin
Indeed. When I wrote my Catalyst password generation plugin (for all the Catalyst-based sites I maintained), I basically concetenated the user's name, the date, and a salt phrase. Then I computed its MD5-64 hash and pulled out the first 8 characters.
Not the strongest passwords, in a brute-force sense. But making an authentication function to prevent brute forcing is trivial.
I prefer easily quantifiable inefficiency to possibly unbounded inefficiency.
Admin
I thought the most common passwords were "qwerty" "123456" "password" and "secret."
Darn. I wish I hadn't writtten that. Now I have to go change my passwords.
Admin
There are 62 individual characters (assuming alphanumeric), 26 lower case, 26 uppercase, and 10 numbers.
And given that there isn't a max password length specified you can't break "any" password generated that way in "no time". Short passwords, sure, but longer ones are going to take a while.
A back of the envelope calc, assuming that a 4 GHz processor can check 1 password per cycle (4 billion / sec) shows that a 9 character password (62^9 complexity) would take 39 days to exhaustively test or, on average, 19.5 to guess. Bump that up to a 10 character password and it is now 3.3 years on average to guess (6.6 years to exhaustively test).
Is it less secure than a password of equal length that supports additional symbols?
Sure. But it isn't quite the disaster you are indicating.
Second, required password complexity is a business case, not a programming decision. It's not bad code to generate alphanumeric, alphabetic, or numeric passwords if that is what the business requires. (Possibly because it is for low security access, or for interoperability with legacy devices/systems)