Random generate a "pronounceable" password for your users.

Since VB3's expire function for passwords, you can now force your members to change password. But very often, people tend to forget their recently changed password.
Also, if you add the "history" option, people will have to come up with a new password everytime and that particular detail is not always appreciated.

One thing to do is random generate a password but you can be sure you users will never remember this one.

So I came up with the idea to random generate an "easy to remember" password.
A while back I read on php.net about a small piece of code that generates a "pronouncable" password which is easier to remember, so I decided to integrate this function into vB.

What the hack does is add a link in the "Change password" page which makes the page auto-generate a "pronounceable" password. Also, it changes the inputfields from passwordfields to regular textfields. In the first passwordfield, the generated password is placed. The second field will still be empty so the user will have to retype the password.

Changes to do:
-file edits (2)
-template edits (1)
-adding phrases (1)


Installation:
Open admincp/functions_user.php and look for:

PHP Code:

     return $word;
} 


After that, add:

PHP Code:

// ############ Extra function to create random pronouncable password ##########
function createpronouncepass() {
    $array = array(
            'ap','dus','tin','rog','sti','rev','pik','sty','lev','qot','rel','vid', 
            'kro','xo','pro','wia','axi','jer','foh','mu','ya','zol','gu','pli','cra', 
            'den','bi','sat','ry','qui','wip','fla','gro','tav','peh','gil','lot', 
            'azz','oi','sut','ury','kwi','owp','fli','ws','ava','nou','gae','ing', 
            '132','you','789','buo','gro','mup','flo','alc','spi','nku','gui','win', 
            'kal','zan','noc','bat','tev','lun','pal','hom','cun','wos','vox'); 

    $num_letters = 7; //The number of letters 
    mt_srand((double)microtime()*1000000);

    for($i=0; $i<$num_letters; $i++)
    $pass .= $array[mt_rand(0, (count($array) - 1))]; 

    for($i=1; $i<strlen($pass); $i++) {
        if(substr($pass, $i, 1) == substr($pass, $i-1, 1)) 
            $pass = substr($pass, 0, $i) . substr($pass, $i+1);
    } 

    $pass = substr($pass, 0, $num_letters);
    return $pass;
} 


Save and upload functions_user.php

Open profile.php and look for:

PHP Code:

    // show Optional because password expired
    $show['password_optional'] = !$show['passwordexpired'];
    $templatename = 'modifypassword'; 


After that, add:

PHP Code:

    if ($_REQUEST['extra'] == 'genrandom') {
        $randompass = createpronouncepass();
        $passwordfield = "text";
    } else {
        $randompass = "";
        $passwordfield = "password";
    } 


Save and upload profile.php

In the template "modifypassword", look for:

PHP Code:

<input type="password" class="bginput" name="newpassword" size="50" maxlength="50" /> 


and replace it with:

PHP Code:

<input type="$passwordfield" class="bginput" name="newpassword" size="50" maxlength="50" value="$randompass" /> 


look for:

PHP Code:

<input type="password" class="bginput" name="newpasswordconfirm" size="50" maxlength="50" /> 


and replace it with:

PHP Code:

<input type="$passwordfield" class="bginput" name="newpasswordconfirm" size="50" maxlength="50" />
<br />$vbphrase[generate_random_password] 


Add the following phrase:

Code:

Phrase Type: User tools (global)
Varname: generate_random_password
Text: <a href="profile.php?s={$session['sessionhash']}&do=editpassword&extra=genrandom">Click here to have a random password generated for you.</a>

That's it!

Small note:
A 7 char "pronounceable" password is generated every time. If you want more or less characters, all you have to do is change this value in admincp/functions_user.php:

PHP Code:

    $num_letters = 7; //The number of letters 


[Reeve of shinra]

Very useful. Thanks for sharing!

[rookie7]

The only thing I hesitate to install this hack is the possibility of cracking the passwords. Any chance your hack can prevent the generated passwords from being cracked?

[Natch]

Nothing in a hack can prevent a password cracker from cracking a password - that would be magic, and we don't deal in magic here - tbh 7 characters seems a little low as a default in this situation as the mini-phrases that make up the passwords are a known factor... in this instance I would sughgest users use a default of 15 or 20 characters at least - as it's pronounceable it is less of an issue it being longer...

[TripLcixx]

Any password can be "cracked" if you do a bruteforce check on it and have enough time. The good thing with VB3 is the "scratches" system, which bans ppl for 15mins if they use the wrong password 5 times. This makes any bruteforce attempt a lot harder.

@ Natch: well, your post makes sense, but I somehow believe that a 7 char random generated password is harder to guess than a password made up by a user (as they tend to use real life words, which can easily be cracked with some sort of dictionary search)

Well, you can specify the amount of chars the password has to be so...everybody happy?

[j_86]

All passwords can be cracked, if you have the strikes system you'll be fine with this hack because practicaly all probabilities are in your favour.

If you DO NOT use the strike system, however; because the possible components of passwords have been released to the public, it does indeed become easier to crack. But nothing to worry about, with the strikes system