PHP password generation

abstract

Modern web-applications often provide (during registration, or password-reset) random-generated passwords for its users. However these passwords (usually a random combination of letters or numbers) are quite hard to remember: in fact, it's even impossible to read them. This article provides a function for generating English-like readable passwords.

compatible

PHP 4.3.0 or higher
PHP 5

Traditional way of generating passwords is using rand() function: concatenate several random-selected letters together. Something like this:

<?php
function gen_trivial_password($len = 6)
{
    $r = '';
    for($i=0; $i<$len; $i++)
        $r .= chr(rand(0, 25) + ord('a'));
    return $r;
}
?>

Typical passwords produced by this function:

kaaxqgsf
rnspvfjh
ndtfrdfj

Combination of rand() and md5() function is often used as a simpler alternative:

<?php
function gen_md5_password($len = 6)
{
    // function calculates 32-digit hexadecimal md5 hash
    // of some random data
    return substr(md5(rand().rand()), 0, $len);
}
?>

Passwords generated by this function consists of hexadecimal numbers (0-9, A-F). They are also impossible to read and difficult to remember.

bc923e42
bcff4cb3
1394f386

Proposed function ae_gen_password tries to generate readable easy-to-remember passwords, like following:

lyttakor
rixagist
fapoution

Algorithm is simple: we have an array of traditional English (in fact, of a latin and greek origin) prefixes (like kilo-, nano-, bio-, mini-, auto-, ...) and an array of common suffixes (like -tion, -ment, -or, ...). Beside prefix and suffixes-arrays, we have a list of a vowel and consonant sound-letters (letters that produce vowel and consonant sounds).

To generate a password, we take random prefix(optionally), produce several simple syllables (one random consonant and one random vowel) and then select random suffix.

<?php
function ae_gen_password($syllables = 3, $use_prefix = false)
{

    // Define function unless it is already exists
    if (!function_exists('ae_arr'))
    {
        // This function returns random array element
        function ae_arr(&$arr)
        {
            return $arr[rand(0, sizeof($arr)-1)];
        }
    }

    // 20 prefixes
    $prefix = array('aero', 'anti', 'auto', 'bi', 'bio',
                    'cine', 'deca', 'demo', 'dyna', 'eco',
                    'ergo', 'geo', 'gyno', 'hypo', 'kilo',
                    'mega', 'tera', 'mini', 'nano', 'duo');

    // 10 random suffixes
    $suffix = array('dom', 'ity', 'ment', 'sion', 'ness',
                    'ence', 'er', 'ist', 'tion', 'or'); 

    // 8 vowel sounds 
    $vowels = array('a', 'o', 'e', 'i', 'y', 'u', 'ou', 'oo'); 

    // 20 random consonants 
    $consonants = array('w', 'r', 't', 'p', 's', 'd', 'f', 'g', 'h', 'j', 
                        'k', 'l', 'z', 'x', 'c', 'v', 'b', 'n', 'm', 'qu');

    $password = $use_prefix?ae_arr($prefix):'';
    $password_suffix = ae_arr($suffix);

    for($i=0; $i<$syllables; $i++)
    {
        // selecting random consonant
        $doubles = array('n', 'm', 't', 's');
        $c = ae_arr($consonants);
        if (in_array($c, $doubles)&&($i!=0)) { // maybe double it
            if (rand(0, 2) == 1) // 33% probability
                $c .= $c;
        }
        $password .= $c;
        //

        // selecting random vowel
        $password .= ae_arr($vowels);

        if ($i == $syllables - 1) // if suffix begin with vovel
            if (in_array($password_suffix[0], $vowels)) // add one more consonant 
                $password .= ae_arr($consonants);

    }

    // selecting random suffix
    $password .= $password_suffix;

    return $password;
}
?>

The first argument of a function is a number of syllables in a password (not recommended to use less than 2), the second argument is a prefix flag(whether to add prefix or not).

Example usage:

<!-- don't forget to paste code of ae_gen_password function 
(see above) here -->
<html><head><title>Memorizable password generator</title></head>
<body>
<h1>Memorizable password generator</h2>
(press 'Refresh' to generate more)

<h2>2 syllables, no prefix</h2>
<ul>
<?php 
for($i=0; $i<10; $i++)
    echo "<li>".ae_gen_password(2, false)."</li>";
?>
</ul>

<h2>2 syllables, prefix</h2>
<ul>
<?php 
for($i=0; $i<10; $i++)
    echo "<li>".ae_gen_password(2, true)."</li>";
?>
</ul>


<h2>3 syllables, no prefix</h2>
<ul>
<?php 
for($i=0; $i<10; $i++)
    echo "<li>".ae_gen_password(3, false)."</li>";
?>
</ul>

<h2>3 syllables, prefix</h2>
<ul>
<?php 
for($i=0; $i<10; $i++)
    echo "<li>".ae_gen_password(3, true)."</li>";
?>
</ul>    
</body>
</html>

warning

Crypto-analytic who knows password generation algorithm(and the set of prefixes/suffixes) may perform successful brute-force attack (trying all possible passwords). However 3-syllable passwords(without prefix) are nearly as difficult to guess as 6-digit hexadecimal(string 0-F) password, which is suitable for non-critical applications.
Consider changing(adding more) arrays of prefixes/suffixes if you plan to use ae_gen_password function seriously

tested by AnyExample.com on 2006-12-21

FreeBSD 5.2 :: PHP 5.1.4
Ubuntu Linux 6.2 :: PHP 5.2

License | Privacy | Contact