GenPhrase is a secure passphrase generator for PHP applications.

Related tags

GenPhrase
Overview

About

Packagist License Build Status

GenPhrase is a secure passphrase generator for PHP applications. GenPhrase is based on passwdqc's pwqgen program. See http://www.openwall.com/passwdqc/

GenPhrase can be used to generate secure and easy to memorize random passphrases. For example output, see examples.

GenPhrase can use arbitrary size wordlists. Words for a passphrase are selected uniformly at random from the wordset.

GenPhrase has a series of small security bug bounties. For more information, see GenPhrase Security Bug Bounties.

Requirements

GenPhrase requires PHP version 5.3 or greater with BC Math (--enable-bcmath). mbstring extension must be available if words are modified (e.g. capitalized).

HHVM compatibility

HipHop VM v2.3 and later is confirmed to support GenPhrase. Earlier versions of HHVM may work as well.

Installation

GenPhrase supports installation using Composer, but make sure you use at least Composer version 1.0.0-beta1 to install GenPhrase (Composer was vulnerable to MITM attacks before 1.0.0-beta1):

genphrase/genphrase

Passphrase generation with GenPhrase

By default, GenPhrase generates passphrases using english words (english.lst). Those passphrases will have at least 50 bits of entropy.

GenPhrase has currently two built-in wordlists: english.lst (default) and diceware.lst. You can add/remove/combine wordlists as you like.

More about the original english wordlist via Openwall: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/passwdqc/passwdqc/wordset_4k.c?rev=1.5;content-type=text%2Fplain

The only modification between the GenPhrase english wordlist and the Openwall wordlist is we changed all the words to be lowercase.

Note, the Diceware list bundled with GenPhrase as of 1.1.0 is EFF's "long" version, but without four words which contains "-" character (as this character is a GenPhrase separator character). For more information about EFF's Diceware list, see: https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

Note, GenPhrase allows you to specify separator characters which may be used between the words. If you want to specify these separator characters, make sure you use only unique single-byte characters. More information about setting separator characters is in the usage examples below.

What kind of passphrases GenPhrase generate?

A few examples to demonstrate the output:

With default settings, the passphrase would be for example like:

Alter Berlin Paint meaning

Generating a passphrase having 40 bits of entropy:

musica$Menu&Quota

A passphrase having 50 bits of entropy and separator characters and word capitalizing disabled:

setthenrolegiftdancing

Usage

<?php
require '/path/to/library/GenPhrase/Loader.php';
$loader = new GenPhrase\Loader();
$loader->register();
<?php
$gen = new GenPhrase\Password();

// Generate a passphrase using english words and (at least) 50 bits of entropy.
$gen->generate();

// Generate a passphrase using english words and custom amount of entropy.
// Entropy must be between 26.0 and 120.0 bits.
$gen->generate(46);

// Remove the default (english) wordlist. This is because we want to use only
// the Diceware list. If you add a new wordlist, but you do not remove the
// default wordlist, then GenPhrase will combine those wordlists.
$gen->removeWordlist('default');

// Add Diceware wordlist.
// $gen->addWordlist('/path/to/GenPhrase/Wordlists/diceware.lst', 'diceware');
// Or more simply (if you give just a filename, GenPhrase will look this
// filename from "Wordlists" folder automatically):
$gen->addWordlist('diceware.lst', 'diceware');
// When creating Diceware phrases, it is recommended not to capitalize any
// words and not to add separator characters (except space, which gets automatically added). To make that
// happen, we configure GenPhrase a little bit more:
$gen->disableSeparators(true); // No separator characters are inserted (except space)
$gen->disableWordModifier(true); // No words are capitalized or changed to lower case (words are not modified)
echo $gen->generate(65) // This will output six "word" passphrases.

// It is possible to force GenPhrase to always use separator characters
// (whether it "makes sense" or not).
// For example, if you generate a passphrase having 35 bits of entropy,
// with default settings, you would get something like: "word1 word2 word3".
// If you force the usage of separators, you would get something like:
// "word1!word2*word3".
$gen->alwaysUseSeparators(true);
// For possible use cases, see pull request #1.

// Change the separator characters.
$gen->setSeparators('123456789');
// NOTE: separator characters must be unique single-byte characters.
// NOTE: you must not use space as a separator character, because space is
// automatically added when appropriate.
// NOTE: minimum number of separator characters is 1. If there there is only
// one unique separator character, it won't add any entropy to the passphrase
// (passphrase may require extra word and become longer).

// Set character encoding. The encoding is used internally by GenPhrase when
// calling mb_ functions.
$gen->setEncoding('iso-8859-1');
// By default GenPhrase uses utf-8 encoding.

How is entropy calculated?

As long as we have only unique elements in our wordlist and each element is equally likely to be chosen, we can calculate the entropy per "element" (usually a word) as follows: log2(count_of_elements)

If we choose, say, 4 elements, the total entropy is: 4 * log2(count_of_elements)

If we choose 2 elements and one separator element: 2 * log2(count_of_elements) + log2(count_of_separators)

By default, GenPhrase will randomly (50:50 change) modify the first character of a word to either lower or upper case ("Apple" becomes "apple", "orange" becomes "Orange" etc.

In terms of entropy, this means we are actually doubling the "unique element count" (our wordlist has, say, a word "apple", so we could come up with a word "apple" or "Apple"): log2(2 * count_of_elements)

Issues or questions?

Mail me at [email protected] or use GitHub.

Issues
  • [Clarification request] entropie vs. length of wordlist file

    [Clarification request] entropie vs. length of wordlist file

    I set up a wordlist file with 26 lines comprising the words (characters) "a" .. "z".

    Each "word" contributes log2(26) = 4,7 bit okay ?

    My program

    <?php
    require 'library/GenPhrase/Loader.php';
    $loader = new GenPhrase\Loader();
    $loader->register();
    $gen = new GenPhrase\Password();
    # $gen->disableSeparators(false); // No separator characters are inserted
    
    $gen->disableWordModifier(true); // No words are capitalized or changed to lower case (words are not modified)
    $gen->setSeparators('--');
    $gen->alwaysUseSeparators(true);
    echo $gen->generate(52) . "\n";
    

    Example output: h-x-m-p-j-h-q-c-u-u

    generates only 10 "words", which means ~ 47 bit entropy instead of the requested 52.

    Pls. can you explain ?

    opened by Wikinaut 14
  • Mandate at least one word to begin with uppercase letter?

    Mandate at least one word to begin with uppercase letter?

    I'd really like to be able to force at least one word to begin with an uppercase letter but I don't see a way to achieve this currently with the library.

    Not a big deal, just thought it might be useful - specially since many systems enforce uppercase letters.

    What do you think?

    opened by twistedpixel 8
  • [Bug] Set of separators issue: I want all generated words separated by a certain character. This does not work as explained.

    [Bug] Set of separators issue: I want all generated words separated by a certain character. This does not work as explained.

    I wanted all generated words separated by a single dash "-".

    First I tried $gen->setSeparators('-'); This threw an error. Readme says, that always a "space" is automatically added to the set, but this appears to be wrong. Then I tried

    $gen->setSeparators('- '); // does not work either, see code below.

    So the syntax and/or explanation is weird, unclear. Please explain:

    How can a certain fixed separator like (" ") or ("-") be defined ? The current program version does not work correctly.


    Code:

    <?php
    require 'library/GenPhrase/Loader.php';
    $loader = new GenPhrase\Loader();
    $loader->register();
    $gen = new GenPhrase\Password();
    # $gen->disableSeparators(false); // No separator characters are inserted
    
    $gen->disableWordModifier(true); // No words are capitalized or changed to lower case (words are not modified)
    $gen->setSeparators('--');
    $gen->alwaysUseSeparators(true);
    echo $gen->generate(52) . "\n";
    
    opened by Wikinaut 4
  • [Suggestion] use EFF's new wordlist

    [Suggestion] use EFF's new wordlist

    See https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

    There are three differently flavoured lists available, one long one, and two short ones.

    opened by Wikinaut 2
  • Add an option to always use specified separators

    Add an option to always use specified separators

    This option makes it so it always uses the separators list, ignoring the makesSenseToUseSeparators method. The reason I implemented this is because the password requirement for our domain needs an alphanumeric password with at least one uppercase character. This is achievable by setting '1234567890' as the separators list, and forcing it to be used with this option, then using a word modifier.

    opened by ChadSikorra 1
  • Test enhancement

    Test enhancement

    Changed log

    • Using the psr-4 to load classes automatically.
    • Use the correct assertions to assert the result values.
    • Using the white list code coverage in phpunit.xml.dist.
    opened by peter279k 1
  • Add bcmath extension as a dependency

    Add bcmath extension as a dependency

    Without the extension you get "Call to undefined function GenPhrase\bcadd()"

    opened by omnicolor 1
  • [Feature Request] Wordlists with > 65536 words

    [Feature Request] Wordlists with > 65536 words

    Right now, if you supply a wordlists with more than 65536 words, it errors our with:

    $poolSize must be between 2 and 65536

    If you change Random::MAX_ALLOWED_POOL_SIZE to 16,777,216 (2^24) and Random::MAX_ALLOWED_POWER_OF_TWO to 2,147,483,648 (2^31) you could start supporting wordlists with up to 16,777,216 words.

    Right now, in order to get my current wordlist to work (125,000 words), I have had to change these values manually. But there's no reason I can think of why this shouldn't be supported out of the box?

    opened by ProjectCleverWeb 9
Owner
timoh
timoh
PHP Library to generate random passwords

Password Generator Library Simple library for generating random passwords. Requirements PHP >= 7.1 We only support PHP 7.3+ Installation Install Compo

Daniel Platt 231 Jun 30, 2021
A library for generating and validating passwords

PHP-PasswordLib Build Status Version The current version is considered Beta. This means that it is ready enough to test and use, but beware that you s

Anthony Ferrara 372 Jul 7, 2021
Python implementation of the portable PHP password hashing framework

Portable PHP password hashing framework implemented in Python. This Python implementation meant to be an exact port of the the original PHP version.

Rez 46 Nov 25, 2019
Validates passwords against PHP's password_hash function using PASSWORD_DEFAULT. Will rehash when needed, and will upgrade legacy passwords with the Upgrade decorator.

Password Validator Password Validator validates password_hash generated passwords, rehashes passwords as necessary, and will upgrade legacy passwords.

Jeremy Kendall 143 Jun 20, 2021
Compatibility with the password_* functions that ship with PHP 5.5

password_compat This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5. See the RFC for more d

Anthony Ferrara 2.1k Jul 24, 2021
Realistic PHP password strength estimate library based on Zxcvbn JS

Zxcvbn-PHP is a password strength estimator using pattern matching and minimum entropy calculation. Zxcvbn-PHP is based on the the Javascript zxcvbn p

Ben Jeavons 644 Jul 13, 2021
A password policy enforcer for PHP and JavaScript

PasswordPolicy A tool for checking and creating password policies in PHP and JS. Installation Use composer to setup an autoloader php composer.phar in

Anthony Ferrara 71 Jul 3, 2021