Am 27.03.2014 11:27, schrieb Joseph Tam:
Reindl Harald h.reindl@thelounge.net writes:
frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 100000 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack
(Off-topic)
Not that I disagree with the conclusion that 8 character passwords are weak by todays standards, but there seems to be something wrong with your generator (weak PRNG? limited character set?). 13 collisions in 10^5 passwords is terrible, even by 1980 Unix standards
- Intel IvyBridge with rngd
- haveged -w 3072 -v 1
- SURELY a limited character set because mail-clients don't handle any char
$internal_random = openssl_random_pseudo_bytes(15) . microtime() . serialize($_SERVER) . serialize($_REQUEST) . serialize($_ENV) . uniqid('', true) . openssl_random_pseudo_bytes(15)
- that is not the problem and a lot of high random crap
- but you can't use that for passwords
- after hash_pbkdf2('sha256', $internal_random, mcrypt_create_iv(16, MCRYPT_DEV_URANDOM), 20, $length) you are limited to low chars and number, so you need to randomly uppercase some chars and randomly insert acceptable special chars like array('_','#','*','-','&','!','?','.',',','=')