Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9049

Password reminder system generates confusable passwords

    Details

      Description

      The "forgot password" system uses the "gen_random_string" function to generate the new password, which includes this line:

      $rand_str = str_replace('0', 'Z', strtoupper(base_convert($rand_str, 16, 35)));

      It seems to be designed to ensure that passwords don't contain both zeros and letter "O"s, as these look much the same in many fonts and could be confused.

      But just removing the number '0' is only half of a solution to this problem. Not knowing that passwords can never contain a zero, users could also think that the letter "O" in their password is a zero and will not be able to log on.

      I suggest changing that line to:

      $rand_str = str_replace(array('0','O'), array('Z','X'), strtoupper(base_convert($rand_str, 16, 35)));

        Attachments

          Activity

            People

            • Assignee:
              bantu Andreas Fischer
              Reporter:
              thenickdude thenickdude [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: