Secure PHP Password Randomization Automation

Creating secure passwords to prevent brute force attacks is in contrast to secure passwords that users can remember and enter correctly. Users tend to forget mixed upper case and lower case letters, especially if mixed with numbers and even more with non-alphanumerics. Captchas enhance the security of PHP web forms by blocking brute force attacks that enlist the power of automation. Where you draw the line between user friendly passwords and truly secure passwords is a personal and business choice.

Creating secure passwords is better left to automation such as PHP Programs that can randomize the process without user influence. The problem of being user friendly crops up when the new secure password is presented to the user in a web page, where the user may misread the characters. Characters such as the letter O get mixed up with the number 0, as do the lower case letter L with the upper case letter I and the number 1. No great dilemma since there are plenty of characters in the alphanumeric group plus the non-alphanumerics we can safely choose from.

Beware illegal characters that may contribute to vulnerabilities in your PHP Programs. If you allow passwords to contain illegal characters such as < or > or ‘ or ” you may have to let your PHP Guard down to let PHP process them. If you do that, PHP may become vulnerable to SQL Injection and Code Injection hacking techniques.  Play it safe and stick to characters that play nicely in the PHP processing arena. Pick a safe subset of non-alphanumeric characters to add to your alhpanumerics, such as ! @ # $ * – _ and maybe a few others. But heck, why bother with such characters aside those that may occur inside an email address? People tend to use normal screen names else their email addresses since they’re much easier to remember.

Your user should be offered the ability to click a button and have a secure password generated for them, and allow them to continue getting suggestions until they are happy. The process of automating password generation is quite simple as long as you follow a few simple rules, including character exclusion above.

Here’s an easy method to try before getting into the cool complicated strong handling automation later on:

1. Create an a array of characters to choose from:
@ $chars = array(‘a’,’b’,’c’,’d’…  ,’A’,’B,’C,’D’…  ,’2′,’3′,’4′,…   ,’!’,’@’,’#’…);
etc. This is truncated so populate this array with the entire set of whatever characters you choose to use. We need to know exactly how many characters exist in this array to tell our iterative loop below where to stop looking for the end of the array:

2. Set a variable to the total number of characters in the array:
@ $num = count($chars);

3. Decide how many characters will be delivered in the secure password string, or perhaps a range of string lengths. Let’s work with a rangeof secure password string lengths starting at 5 on the low and 8 on the high. We’ll be iterating through the string placing randomly selected characters from our array above.
@ $random_pwd_length = rand(5,8);

4. Now that we have an array of characters to iterate through, plus we know the total number of characters in the array, and we know the minimum and maximum length of the desired password string, we can start the final iteration to generate the password string. The iterative loop starts at zero, which should make sense, else you should return to iterative loops and while loops for the basics of iteration to understand the zero value.

Our loop starts at zero and continues while our incrementing value remains lower than the randomly selected password string length value (5-8). The iterative loop increments the loop count by one every turn ($i++) and each pass through the loop adds a new randomly selected character to the password string.

for ($i=0;$i<$random_pwd_length,$i++)
@ $secure_password += $chars[rand(0,$num-1)];

The array count starts at zero, which means the first value has a key of 0. If the array has 100 characters and the first is key zero (0), the last is not key one hundred, but rather key 99. That’s why the random number generator ranges from 0 through 99, instead of 1 through 100. As that line of code reads, “Add onto the end of the secure_password variable a character from the chars array selected as some random value between 0 and 99 (the entire array) and keep adding characters until the max value of between 5 and 8 characters has been added to the string.

The longer the resulting password string length, the less likely your password will be repeated. Unlike screen names, passwords do not need to be unique for login systems. Odds favor users will end up with user-defined passwords used by other members, since we’re only human and we like our pets, kids, birth dates, etc. However, if unique passwords are a necessity, place this iterative loop inside a test loop that assures the password meets some specification, else the iterative loop runs again until a unique password is generated, then exists the test loop.

The basics for a strong secure password in PHP is that it meets a minimum length requirement, contains at least one lower case and one upper case character from the numeric, alpha, and non-alphanumeric character sets, and isn’t posted to the local hackers’ blog! Prevent passwords les than 5 characters and prefer passwords that are 8 characters long or longer.
a) Here are some examples of strong secure passwords:

b) Here are some hackenschpeken  passwords that are strong and secure
B1g0ld71r3    => “bigoldtire”
1w@nn@b3r1c42   => “iwannaberichtoo”
pupp13$1n@bl@nk37   => “puppiesinablanket”

Some additional advise for users to follow, or perhaps a requirement to enforce, is that passwords be updated on a schedule. Many sites now use a Javascript to indicate to users whether their passwords are poor/okay/strong and whether they match when the password is to be re-entered a second time. Encrypt user passwords if they are to be contained in cookies and/or sent through an insecure environment. SSL is a desired protocol to encrypt your users’ communications with the server, but that doesn’t mean their transmissions are secure. There is more to securing a website and authentication mechanisms than included in this article, so make sure you understand the wide world of web security and network security before dabbling in the loss of user, client, and customer proprietary and personal information.

If you have questions about web security and how secure your website is for your users, contact The PHP Kemist at 801.253.2564. We specialize in Security PHP Programming and keeping customers safe and sane.

Leave a Reply