Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9049

Password reminder system generates confusable passwords

    Details

      Description

      The "forgot password" system uses the "gen_random_string" function to generate the new password, which includes this line:

      $rand_str = str_replace('0', 'Z', strtoupper(base_convert($rand_str, 16, 35)));

      It seems to be designed to ensure that passwords don't contain both zeros and letter "O"s, as these look much the same in many fonts and could be confused.

      But just removing the number '0' is only half of a solution to this problem. Not knowing that passwords can never contain a zero, users could also think that the letter "O" in their password is a zero and will not be able to log on.

      I suggest changing that line to:

      $rand_str = str_replace(array('0','O'), array('Z','X'), strtoupper(base_convert($rand_str, 16, 35)));

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            bantu Andreas Fischer
            Reporter:
            thenickdude thenickdude [X] (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development