Log in | Register
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. Generate Random Password - Minimum Params

Topic-icon Generate Random Password - Minimum Params

Active Subscriptions:

None
11 years 3 months ago - 11 years 3 months ago #51326 by ConsultED
By default, does the "Generate Random Password" option in JFBConnect Configuration pull from the settings applied/saved within Joomla's "Users > Options > Components" tab? i.e, does JFBConnect generate a random password based on the saved Joomla settings here for:
- Minimum Password Length
- Password Minimum Integers
- Password Minimum Symbols
- Password Upper Case Minimum

* If JFBConnect is not pulling from the Joomla settings, is there a way to reconfig the "Generate Random Password" option to follow params above? For those of us applying password policies on our site, this would be a handy Feature Request if it is not already pulling from the the Joomla settings ;)
Last edit: 11 years 3 months ago by ConsultED.
The topic has been locked.
Support Specialist
11 years 3 months ago #51332 by alzander
It's an interesting question, but one I don't have a great answer for. JFBConnect uses the built-in Joomla function JUserHelper::genRandomPassword() That function creates an 8-character password by default. There's no other flexibility in the creation though, other than length. It does not use the parameters you specify above.

The only time those parameters are used is during the saving of a user after registration on the front-end. There is a test performed on the submitted password to make sure it passes the test. Since we're generating the user in an automated fashion, that check doesn't happen.

You can also see the same behavior if you create a new user in the admin area without a password. They'll have a 8-character password emailed to them that won't necessarily follow the rules you've specified.

Unfortunately, I don't have a great suggestion on the edit to make to force the password to use the settings you chose. It would likely take a bit of work since we are using a core-Joomla function already to generate the current password, which you may not want to edit. One thing I could easily help you do is increase the length of the generated password to some very high number which a) would be more secure and b) may force your users to change their password when they first login.

I hope that helps explain,
Alex
The topic has been locked.
Active Subscriptions:

None
11 years 3 months ago #51364 by ConsultED
hmm, that/this is interesting...

thx for the insight Alex - this is definitely something that ought to happen upstream in Joomla/core function (it really seems silly to me that you can enforce thru Joomla's own User Options password requirements for new, front-end user registrations that joomla-core will then not follow/adhere to itself when creating a new user on the backend/auto-gen new user passwords, neither for length or character mix).

also feel silly asking you something like this, so please don't feel obligated/no offense taken if this isn't in the best interest of your time, but:

would something along this line (as defined in: libraries/joomla/user/helper.php) work to up the password length minimum?


function genRandomPassword($length = 16)
{
$salt = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$len = strlen($salt);
$makepass = '';

$stat = @stat(__FILE__);
if(empty($stat) || !is_array($stat)) $stat = array(php_uname());

mt_srand(crc32(microtime() . implode('|', $stat)));

for ($i = 0; $i < $length; $i ++) {
$makepass .= $salt[mt_rand(0, $len -1)];
}

return $makepass;
}

##OR something like:

$pw = substr(md5(rand()), 0, 16); //16 character random string

i may be looking at outdated joomla docs for this, so... not sure... I'm also delving into this intriguing php script to see if I can glean anything out to apply:

TitleHow to create a Joomla 3 user programmatically
The topic has been locked.
Support Specialist
11 years 3 months ago #51368 by alzander
The doc you linked to seems up to date. However, the first block of that code is grabbing information input from the user and validating it against the password constraints. It's not randomly generating a password for the user, like you're looking to do. The 2nd block is taking that information and creating the user. Generating a password with those constraints is much more difficult as, what essentially has to happen, is that JFBConnect would generate a password and then pass it through each of the checks to see if it passes. If not, restart. It's something that may pass the first time but also may take 1 million tries (depending on your constraints).. which could be very bad for a user experience.

There's no function in PHP (that I know of) to generate a password with constraints.. all you can do is pass the valid chars that can be used and length and something will be made. It's up to more code to validate it.

As to your other questions about increasing the length, yes, you *can* up that length = 8 parameter to default passwords to 16. That would work for JFBConnect, but other Joomla and 3rd party extensions call that code.. so I'm not sure what would happen if the default length returned is 16. It could cause some unexpected problems. Instead, I'd recommend editing our /components/com_jfbconnect/models/loginregister.php file. At line 229, you'll see:
$this->_newUserPassword = JUserHelper::genRandomPassword();
Change that to:
$this->_newUserPassword = JUserHelper::genRandomPassword(16);
That will make our random password 16 characters, but not affect any other calls to genRandomPassword.

Finally, I added a task to our to-do list for 6.4 (not the upcoming 6.3) that will let you set a password length parameter in the JFBConnect area. It still won't follow the constraints, but could let you create a stronger/longer password like we're talking about now.

I hope that helps,
Alex
The topic has been locked.
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. Generate Random Password - Minimum Params
From the Blog
Facebook | Twitter | LinkedIn | Blog RSS