AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
$pass = substr(str_replace(,, $dirty_pass, 0, 8) Then we can simply truncate it to get down to the exact length: $dirty_pass = base64_encode(strong_random_bytes(8))) If we start off with 8 bytes in our byte-string, then up to about 25% of the base64 characters would be these "undesirable" characters, so that simply discarding these characters results in a string no shorter than the OP wanted. Both need to generate more randomness than will be used in the result anyway because of the 62 entry long alphabet.įor the extra characters in the result, we can simply discard them from the resulting string. I'm going to forgo the base conversion approach here and go with a quick and dirty one. This is especially because for a given $n, all passwords would end with the same number of these, so that an attacker who had access to a result password, would have up to 2 less characters to guess.įor extra credit, if we wanted to meet the exact spec as in the OP's question then we would have to do a little bit more work. Since the extra characters are predominantly the padding character =, if we for some reason had a constraint that the password be an exact length, then we can truncate it to the length we want. The result will be exact for $n being a multiple of 4 and up to 3 characters longer otherwise. The 3/4 factor is due to the fact that base64 encoding results in a string that has a length at least a third bigger than the byte string. If we didn't mind having +, / and = characters appear in the final string and we want a result at least $n characters long, we could simply use: base64_encode(strong_random_bytes(intval(ceil($n * 3 / 4)))) Throw new Exception('Strong algorithm not available for PRNG.') įor the second part, we'll use base64_encode since it takes a byte string and will produce a series of characters that have an alphabet very close to the one specified in the original question. System did not use a cryptographically strong algorithm ![]() $bytes = openssl_random_pseudo_bytes($length, $strong) $strong = false // Flag for whether a strong algorithm was used Note that whilst most systems use a cryptographically strong algorithm, you have to check so we'll use a wrapper: /**
0 Comments
Read More
Leave a Reply. |