On Fri, Oct 2, 2015 at 5:10 PM, Tom Worster <f...@thefsb.org> wrote: > I screwed up sending this earlier. Sorry if you get this twice. > > On 9/30/15 12:15 PM, Scott Arciszewski wrote: >> I think random_bytes() and random_int() are great; they provide a >> much-needed building block in PHP 7.0. However, I do worry a bit that >> the most common use for random_int() (generating a random string of a >> fixed length with a given character set) will be reinvented over and >> over again, and rarely consistently. > > On one had I agree that it's a common use and put a method in Yii2's > Security component for it (albeit less general then your proposal). But I'm > not sure the motive you gave is sufficient to put it in PHP core. > > We should be less concerned about people reinventing it over and over than > people getting it wrong. The SO answer you referenced expresses exactly this > concern. This was the motive for the new random functions and the password > hash functions. It's a good argument. > > >> I would propose a random_str() function that behaves similar to this >> userland snippet: http://stackoverflow.com/a/32870871/2224584 >> >> Function prototype: >> >>> string random_str( int $length, string $charset) >> >> Would return a string or throw an Error|Exception (e.g. invalid input >> parameters, or the operating system's CSPRNG begins to melt). > > If the problem is poor algorithms generating random strings that get "used > for anything remotely analogous to a password" then I think this is not > enough to be a solution. I think a class is needed that can do more > including: > > - Unicode characters. The $random_str .= $charset[$r]; line in the snippet > you referenced implies a rather parochial tacit assumption. Passwords aren't > always limited to Basic Latin. > > - Constraints such as: exclude easily confusable characters such as 0 and O, > at least one digit, pronounceable, and things like that > > - Choosing from a set of words (Diceware) > > From my own interactions with others, I know that people who shouldn't do in > fact attempt to implement this kind of stuff. And that's to be expected > because PHP apps very often need it. > > > >> I can write up an RFC for this, with a patch targeting 7.1, if anyone >> is interested in it. >> >> Scott Arciszewski >> Chief Development Officer >> Paragon Initiative Enterprises <https://paragonie.com> >> >
You mentioned diceware. Incidentally, https://paragonie.com/blog/2015/07/common-uses-for-csprngs-cryptographically-secure-pseudo-random-number-generators#diceware Some problems (i.e. random_int) should be fixed at a language level. Others, through education. In the end, this might be an education issue. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
