make_password: generate longer passwords by default, use better random function if available

6 years ago · 16a9bdc387
parent ef6d2b8a4e
commit 16a9bdc387
3 changed files with 14 additions and 7 deletions
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@ -231,7 +231,7 @@ class Pref_Users extends Handler_Protected {
 		function add() {
 			$login = trim(clean($_REQUEST["login"]));
-			$tmp_user_pwd = make_password(8);
+			$tmp_user_pwd = make_password();
 			$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
 			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@ -283,7 +283,7 @@ class Pref_Users extends Handler_Protected {
 				$login = $row["login"];
 				$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
-				$tmp_user_pwd = make_password(8);
+				$tmp_user_pwd = make_password();
 				$pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
--- a/include/functions.php
+++ b/include/functions.php
@ -737,7 +737,7 @@
 		}
 	}
-	function make_password($length = 8) {
+	function make_password($length = 12) {
 		$password = "";
 		$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ";
--- a/install/index.php
+++ b/install/index.php
@ -55,21 +55,28 @@
 		//
 	}
-	function make_password($length = 8) {
+	function make_password($length = 12) {
 		$password = "";
 		$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ*%+^";
-	$i = 0;
+		$i = 0;
 		while ($i < $length) {
-			$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
+
 			try {
 				$idx = function_exists("random_int") ? random_int(0, strlen($possible) - 1) : mt_rand(0, strlen($possible) - 1);
 			} catch (Exception $e) {
 				$idx = mt_rand(0, strlen($possible) - 1);
 			}
 			$char = substr($possible, $idx, 1);
 			if (!strstr($password, $char)) {
 				$password .= $char;
 				$i++;
 			}
 		}
 		return $password;
 	}