wp_generate_password() issues when using custom regexp for passwords

  • Andy

    (@andys2p)


    8 years ago

    Hello,

    In my project I must use a custom RegExp when generating a password. wp_generate_password() function is used in lots of places in WP, not necessary for users’ password.

    If I let default password generation using wp_generate_password() function, passwords might not pass my custom RegExp, so I wanted to use filter in this function to overwrite the password if RegExp fails, but as filter doesn’t receive parameters which wp_generate_password() function receives in my custom password generation function I don’t know what restrictions should generated password have as I receive as parameter only generated password, so I know the length.

    I could, of course, get each char of the password and check if they are from a specific set of characters and decide if $special_chars and $extra_special_chars where provided, but that’s an overhead to the function and also because password is randomly generated I couldn’t know if password should contain $special_chars or $extra_special_chars.

    If I use only my password generator to match my RegExp, lost password token will fail so users will not be able to retrieve new passwords.

    Best solution I see is to send $special_chars and $extra_special_chars as parameters to the filter:

    return apply_filters( 'random_password', $password, $special_chars, $extra_special_chars );

    Regards,
    Andy

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    8 years ago

    Extra parameters in a filter call is not a realistic near term solution because no one should be altering core code. Long term you could request they be added as a feature enhancement through Trac, but there’s no telling how long or if that will ever happen.

    You can’t even reliably deduce the special chars states because they merely add chars to the random pool, there is no guarantee special chars will actually end up in the eventual password. They are not required restrictions but additional variability.

    I don’t see how altering the password in ‘random_password’ would inhibit password resets. Which ever password you return will be used as a reset key. FWIW, the reset key function does not ask that special chars be added to the pool.

    Is your regexp matching requirement for a particular regexp or any reasonably valid regexp? If the regexp is known, it’s simple to build a matching password. If the regexp is not known, you’d need to be able to parse the regexp in order to build a matching password. Just randomly generating passwords until they match the unknown regexp may never hit upon the right combination.

Viewing 1 replies (of 1 total)
  • The topic ‘wp_generate_password() issues when using custom regexp for passwords’ is closed to new replies.