It surprised me alot that password generation is not configurable, and generation mechanism is even different for admin-generated customers and signup , so I had to dive into it. As it is FOSS, I suppose we should share some ideas, so here is mine.
The default password from admin interface is a monster. None of my users wanted to enter password like '353748roisvk2pf36505', and I cannot blame them. Neither did I want to change this password every other time. Not to mention that I have no control over the password, generated during signup. So this is my small solution, applied to every place where password is generated:
Code:
$rwh = mt_rand(0,1);
if ($rwh) {
$passui_secret = MDP_STRING(4).MDP_NUMERIC(4);
} else {
$passui_secret = MDP_NUMERIC(4).MDP_STRING(4);
};
This creates 8-symbol, not so easily hacked as 10 digits, but still not so hard to remember passwords. It changes format from customer to customer (some 'characters-digits', other 'digits-characters'), thus leaving hacker without easy template to bruteforce.
But in order to keep these changes, I need to apply it again and again if any of files affected get changed during version upgrade. My suggestion to developers is to make this somehow configurable for everyone. Like, '%num5%%char5%', or 'DDDDDCCCCC', or whatever is best. If one wants monsterpasswords - let him be, if someone doesn't care and needs password of only 4 digits - let him have it.
Merry Xmas everyone