I have been reading on here and other places, but I still hear so many different answers/opinions. Can people who are up to date and knowledgeable about security and cryptography chime in here.
The suggested duplicate has only one attempted answer. It does not come close to an answer.
Goal: Find the most cryptographically secure random string generator. Using Alphabetic, numeric and if possible special characters in the string.
I welcome any suggestions to improve the cryptographic strength.
The below functions will be used to generate an 8 character random password and also generate a 128 character random token.
Function 1:
/**
* Used for generating a random string.
*
* @param int $_Length The lengtyh of the random string.
* @return string The random string.
*/
function gfRandomString($_Length) {
$alphabet = "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789";
$pass = array(); //remember to declare $pass as an array
$alphaLength = strlen($alphabet) - 1; //put the length -1 in cache
for ($i = 0; $i < $_Length; $i++) {
$n = rand(0, $alphaLength);
$pass[] = $alphabet[$n];
}
return implode($pass); //turn the array into a string
}
Function 2:
The php.net docs say: crypto_strong: If passed into the function, this will hold a boolean value that determines if the algorithm used was "cryptographically strong", e.g., safe for usage with GPG, passwords, etc. TRUE if it did, otherwise FALSE.
So is that based on the the server? If I test it once, and it is able to generate a crypto_strong string, will it always be able to? or would I need to check each time and create a loop until it generates a crypto_strong string.
/**
* Used for generating a random string.
*
* @param int $_Length The length of bits.
* @return string The random string.
*/
function gfSecureString($_Length) {
$Str = bin2hex(openssl_random_pseudo_bytes($_Length));
return $Str;
}
Aucun commentaire:
Enregistrer un commentaire