I use the following script to generate a temporary password.
before I get a lecture, I AM aware that this isn't crypto secure, and that I should use something like openssl_random_pseudo_bytes. But my question is not regarding 'being secure'.
function generateRandomString($length = 10) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!£$%^&*()?';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[rand(0, $charactersLength - 1)];
}
return $randomString;
}
I used PHPMailer connected to gmail SMTP to email the password to the user. The problem I have is that when my boss did a demonstration of this whilst in another country, the following characters were sent as the temp pw:
New Password: Il%KÂUyÂ?F
notice the accented A's are not in my string of selectable chars. This has only happened once, however shouldn't happen at all. As a result of this - the relevant hashes didn't match either, and so the temporary password didn't work. I'm using password_hash($string, PASSWORD_DEFAULT) with field length of 255.
Surely the fact that he was in a different country when he tested the function shouldn't have any bearing on the chars sent seeing as they are generated from the server, which obviously has a static location.
$key = generateRandomString();
$msg.="New Password: ".$key."<br><br>";
$mail->Body = $msg;
