WEB Random Password

Discussion in 'OT Technology' started by hurleyint1386, Nov 7, 2009.

  1. hurleyint1386

    hurleyint1386 Someone has sand in their vagina

    Joined:
    Jan 6, 2005
    Messages:
    3,687
    Likes Received:
    0
    Location:
    Rochester, NY
    So I've currently got a table of about 350 people and I want to give them all passwords. I don't want to give them all the same password then have some ass go in and change other peoples information. So I'd like to randomly generate a 6 digit password for the person. I'd rather not randomly generate a password for each individual password and update it in the table. Does anyone know of a way to possibly update the whole table with random characters for a password in the password field? If this is hard to understand, let me know and I'll try to clarify.
     
  2. 2ofdem

    2ofdem OT Supporter

    Joined:
    Jun 17, 2003
    Messages:
    114,853
    Likes Received:
    8
    Location:
    aus.vic.mel
    what DB?

    simple in PHP
    select * from table
    then do a while loop on the result
    generate random password (shitloads of pre written scripts)
    use a unique field in that to make an update sql query
    ????
    Profit.
     
  3. hurleyint1386

    hurleyint1386 Someone has sand in their vagina

    Joined:
    Jan 6, 2005
    Messages:
    3,687
    Likes Received:
    0
    Location:
    Rochester, NY
    Hmmm, I guess that's not too bad. I don't know why I didn't think about just doing that. Thanks.
     
  4. Swerve

    Swerve OT Supporter

    Joined:
    Feb 20, 2005
    Messages:
    3,175
    Likes Received:
    3
    I would do a trial output of passwords first because if you use a random() function, sometimes they match since their based on the computers clock..
     
  5. 2ofdem

    2ofdem OT Supporter

    Joined:
    Jun 17, 2003
    Messages:
    114,853
    Likes Received:
    8
    Location:
    aus.vic.mel
    Say you use capitals lowercase numbers and other characters you probably have around 100 choices for each of the 6 characters or 100 to the power of 6 which is 1000000000000 possible password combinations.
     
  6. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    current timestamp + SHA1 hash of a random number
     
  7. hurleyint1386

    hurleyint1386 Someone has sand in their vagina

    Joined:
    Jan 6, 2005
    Messages:
    3,687
    Likes Received:
    0
    Location:
    Rochester, NY
    only thing with this is that if you do a timestamp, to go through 350 records would only take a couple seconds, there would be duplicates.
     
  8. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    no there wouldn't, you're generating a sha1 hash of a random number as well
     
  9. brds

    brds OT Supporter

    Joined:
    Jun 26, 2006
    Messages:
    17,642
    Likes Received:
    13
    Location:
    Atlanta
    something like this:

     
  10. hurleyint1386

    hurleyint1386 Someone has sand in their vagina

    Joined:
    Jan 6, 2005
    Messages:
    3,687
    Likes Received:
    0
    Location:
    Rochester, NY
    If you sha1 the same time stamp, it should keep the exact same value. If it does 20 records in a second, it should have the same value time stamp unless it records milliseconds as well. Right?
     
  11. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,315
    Likes Received:
    70
    Location:
    Tasmania
    Seed the number off something other than a timestamp? Eg random number seeded off their username.. or something like that. Even something simpler.. random number x userID then sha1
     
  12. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    :o
     
  13. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    btw, don't write your own crypto :o

    these are just tmp passwords right?
     
  14. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,315
    Likes Received:
    70
    Location:
    Tasmania
    Yeah if it's only temporary.. just do what Josh said and prompt them to change it at first login.
     
  15. twenty

    twenty resident nerd

    Joined:
    Jan 19, 2008
    Messages:
    88
    Likes Received:
    0
    Location:
    Canada
    Keep in mind you should always store your passwords as an MD5 hash while they reside in your database...
     
  16. Supergeek

    Supergeek New Member

    Joined:
    Jan 23, 2007
    Messages:
    1,855
    Likes Received:
    0
    Location:
    Colorado
    Since we're bumping this, I'd change
    Code:
    $password = md5($username);
    to
    Code:
    $password = md5($username + "additional encryption seed");
    It's more secure than just the usernames by themselves.
     
  17. brds

    brds OT Supporter

    Joined:
    Jun 26, 2006
    Messages:
    17,642
    Likes Received:
    13
    Location:
    Atlanta
    probably best to do something like:

    Code:
    $password = substr(md5($username . time(), 0, 8));
    
     
  18. Supergeek

    Supergeek New Member

    Joined:
    Jan 23, 2007
    Messages:
    1,855
    Likes Received:
    0
    Location:
    Colorado
    When a user is logging in, don't you basically have to reverse-engineer the md5 hash to verify them?

    Adding the time to a generated md5 hash without recording the full seed gives you a one-time md5 hash doesn't it? How do you verify the user against that?
     
  19. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    no, you are checking their hash against the one stored in the comptuer, not the passwords
     

Share This Page