| asterisk2billing.org http://forum.asterisk2billing.org/ |
|
| Password generation http://forum.asterisk2billing.org/viewtopic.php?f=18&t=11085 |
Page 1 of 1 |
| Author: | r00f [ Wed Dec 24, 2014 8:03 am ] |
| Post subject: | Password generation |
It surprised me alot that password generation is not configurable, and generation mechanism is even different for admin-generated customers and signup , so I had to dive into it. As it is FOSS, I suppose we should share some ideas, so here is mine. The default password from admin interface is a monster. None of my users wanted to enter password like '353748roisvk2pf36505', and I cannot blame them. Neither did I want to change this password every other time. Not to mention that I have no control over the password, generated during signup. So this is my small solution, applied to every place where password is generated: Code: $rwh = mt_rand(0,1); if ($rwh) { $passui_secret = MDP_STRING(4).MDP_NUMERIC(4); } else { $passui_secret = MDP_NUMERIC(4).MDP_STRING(4); }; This creates 8-symbol, not so easily hacked as 10 digits, but still not so hard to remember passwords. It changes format from customer to customer (some 'characters-digits', other 'digits-characters'), thus leaving hacker without easy template to bruteforce. But in order to keep these changes, I need to apply it again and again if any of files affected get changed during version upgrade. My suggestion to developers is to make this somehow configurable for everyone. Like, '%num5%%char5%', or 'DDDDDCCCCC', or whatever is best. If one wants monsterpasswords - let him be, if someone doesn't care and needs password of only 4 digits - let him have it. Merry Xmas everyone |
|
| Page 1 of 1 | All times are UTC |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|