[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 430
  • Last Modified:

User created vs. php generated passwords

Normally a user creates a password; Hopefully a good one. Instead of the user creating the password, is there any reason a website should not use PHP to generate a unique password for the user? Are there pros and cons? Thanks.
4 Solutions
Aaron TomoskyTechnology ConsultantCommented:
If its actually random? Then there would be no security reason not to. However most people prefer ease of use to real security.
Loganathan NatarajanLAMP DeveloperCommented:
In my point of view, both can be more secure if we choose very strong password with some criteria's. For example, for user generated passwords, we should ask them to choose with mixed case (numbers and symbols) etc., ref. User Generate Password

At the same time, you can generate php based passwords using hash function etc., ref. Secure password using Hash
kadinAuthor Commented:
Thanks for your response.

I thought It would be easier if a password was assigned to the user because the user would be saved the effort of thinking of a password to use. Plus the password the average user might think of will be to weak, thus prompting the form to ask the user to try something more complex.

What exactly do you mean by ease of use. Thanks.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Ray PaseurCommented:
What if your automobile license plate is KNH-331 and you decide your password can be KNH-331?  Now consider that PHP assigns you a password that looks like this:
6cedaad837375138d05c6d5c03e02376 or even like this: 6cedaad?  Which do you think is "easier?"

Security is always a trade-off between client convenience and system integrity.  We choose different ways of thinking about bowling scores and nuclear codes.  Somewhere along the continuum there are "happy values" for our choices.
Olaf DoschkeSoftware DeveloperCommented:
Ease of use? Easy to remember. Even if you choose a secure password, or have it created for you, if you simply copy it into a passwords.txt and copy it from there, is it really safer? Password safety is a mixture of it's composition and how it's stored, and that's beyond your control.

That said, it's very common you get initial passwords generated, eg for FTP to a web hosting space, but it's also very common a user signs up for a website with a self choosen username and password.

Bye, Olaf.
kadinAuthor Commented:
Thank you all for your input.
You should teach your users that a password like "Snowcamel@Tripcar" is actually better than "r9Rf#F7s" because it has a more characters and they can actually remember it without writing it down. They shouldnt use sentences or something that makes any sense, just random words.
If you then store the hash of the password along with the length and check both on authentication, it should be pretty safe for brute force attacks...

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now