[PHPBB3-9049] Password reminder system generates confusable passwords

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.0.6
Fix Version/s: 3.0.8-RC1
Component/s: User Control Panel (UCP)
Labels:
None

phpBB Import Key:
http://www.phpbb.com/bugs/all/ticket.php?ticket_id=57345

Description

The "forgot password" system uses the "gen_random_string" function to generate the new password, which includes this line:

$rand_str = str_replace('0', 'Z', strtoupper(base_convert($rand_str, 16, 35)));

It seems to be designed to ensure that passwords don't contain both zeros and letter "O"s, as these look much the same in many fonts and could be confused.

But just removing the number '0' is only half of a solution to this problem. Not knowing that passwords can never contain a zero, users could also think that the letter "O" in their password is a zero and will not be able to log on.

I suggest changing that line to:

$rand_str = str_replace(array('0','O'), array('Z','X'), strtoupper(base_convert($rand_str, 16, 35)));

Attachments

Activity

People

Assignee:: Andreas Fischer [X] (Inactive)

Reporter:: thenickdude [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/Feb/10 5:09 AM

Updated:: 01/Apr/10 1:45 PM

Resolved:: 07/Feb/10 12:27 AM