Geek Answers Handbook

PHP registration: automatic password creation or user selection

During registration, I discuss how I should set a user password:

  • Let the user select it. If I do, I have to apply some standards (length, weakness, may include regular expressions, etc.). What do you usually do when you choose this path and why? Is there a library for PHP for this?

  • Automatically create a password for the user and send it by e-mail by e-mail. They cannot log in without receiving a password, so it also checks email. The problem is that the password may be too complicated for the user to remember. If I let them change it to something easier, it will defeat the goal when I choose it for them in the first place. I am also worried about the password passing action (like a simple un-hashed password) in an email.

I am inclined to the second, but would prefer a more reasonable answer before choosing. Perhaps I do not pay attention to user convenience and other technical problems. What are you doing?

Edit: based on the answers I'm going to select the first option, allowing the user to choose. Then my question will be, what is the strength of the password / length / etc. should I demand, and how can I enforce it? Are there any PHP libraries for this?

+4
source share
5 answers

I think there is only one answer to this question. Let the user make their password! Everything else is programmer laziness and poor interaction design and customer friendliness (IMO).

Now I would see a few exceptions, namely if it is some kind of low-intensity intranet system that has only a few users who agree with this, or if it is a one-time account that people will not need to log in later.

In any case, you need to hash and salt your passwords, even if you create them yourself. All you need to add are some validation rules when you first introduce the user. This is probably even easier to do than a good password creation tool.

Password strength

Link to the message about 10 indicators of password strength

+6
source

You can always suggest a random password if the user’s imagination suddenly becomes empty. Of course, you are convinced that the generated password is "strong" (according to your rules), and you will have a button "suggest a new password".

Users who do not need complex passwords or unique passwords for different sites will always switch to the one they would choose if you would allow them in the first place. In this case, you made them impatient because you:

  • sent a valid password / activation code by email
  • made them check their inbox (and maybe wait for your letter to arrive)
  • made them change their password.

Final advice: rather than coercion; Encourage and emphasize the importance of password size. Password strength counter is one of the interesting ways to do this.

+2
source

PHP password strength. This page has a basic code that cleans up the code so that you can modify it to suit your needs. Based on code from: http://www.tutorialtoday.com/read_tutorial/113/

Tests for lowercase / uppercase letters / numbers / words / at least 8 characters. If all conditions are met, then the force will be 5.

$password = **HOW YOU GET THE PASS***($_POST['pass'])????; $strength = 0; // letters (lowercase) if(preg_match("/([az]+)/", $password)) { $strength++; } // letters (uppercase) if(preg_match("/([AZ]+)/", $password)) { $strength++; } // numbers if(preg_match("/([0-9]+)/", $password)) { $strength++; } // non word characters if(preg_match("/(W+)/", $password)) { $strength++; } // longer than 8 characters if(strlen($password) > 8)) { $strength++; } if ($strength >= 5) print "woo hoo"; else print "bah";
+1
source

here is the code for generating a password with alphanumeric values

 function genRandomString() { $length = 8; $characters = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; $string = ""; for ($p = 0; $p < $length; $p++) { $string .= $characters[rand(0, strlen($characters))]; } return $string; }

do the following

 $mailPass =genRandomString();
+1
source

Personally, I find it very annoying when access passwords are sent in clear text email. Moreover, the user can change the password in any case (I hope) and therefore change it to something else than what you created. Thus, why not let the user choose the password that he wants during registration? Of course, you need to specify weak passwords (and even possibly prohibit their use in general), but you really do not need to code the essence of this check, since there are dozens of ready-made js libraries that can do this for you.

0
source

More articles:


All Articles