GenPhrase is a secure passphrase generator for PHP applications.

Related tags

Passwords GenPhrase
Overview

About

Packagist License Build Status

GenPhrase is a secure passphrase generator for PHP applications. GenPhrase is based on passwdqc's pwqgen program. See http://www.openwall.com/passwdqc/

GenPhrase can be used to generate secure and easy to memorize random passphrases. For example output, see examples.

GenPhrase can use arbitrary size wordlists. Words for a passphrase are selected uniformly at random from the wordset.

GenPhrase has a series of small security bug bounties. For more information, see GenPhrase Security Bug Bounties.

Requirements

GenPhrase requires PHP version 5.3 or greater with BC Math (--enable-bcmath). mbstring extension must be available if words are modified (e.g. capitalized).

HHVM compatibility

HipHop VM v2.3 and later is confirmed to support GenPhrase. Earlier versions of HHVM may work as well.

Installation

GenPhrase supports installation using Composer, but make sure you use at least Composer version 1.0.0-beta1 to install GenPhrase (Composer was vulnerable to MITM attacks before 1.0.0-beta1):

genphrase/genphrase

Passphrase generation with GenPhrase

By default, GenPhrase generates passphrases using english words (english.lst). Those passphrases will have at least 50 bits of entropy.

GenPhrase has currently two built-in wordlists: english.lst (default) and diceware.lst. You can add/remove/combine wordlists as you like.

More about the original english wordlist via Openwall: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/passwdqc/passwdqc/wordset_4k.c?rev=1.5;content-type=text%2Fplain

The only modification between the GenPhrase english wordlist and the Openwall wordlist is we changed all the words to be lowercase.

Note, the Diceware list bundled with GenPhrase as of 1.1.0 is EFF's "long" version, but without four words which contains "-" character (as this character is a GenPhrase separator character). For more information about EFF's Diceware list, see: https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

Note, GenPhrase allows you to specify separator characters which may be used between the words. If you want to specify these separator characters, make sure you use only unique single-byte characters. More information about setting separator characters is in the usage examples below.

What kind of passphrases GenPhrase generate?

A few examples to demonstrate the output:

With default settings, the passphrase would be for example like:

Alter Berlin Paint meaning

Generating a passphrase having 40 bits of entropy:

musica$Menu&Quota

A passphrase having 50 bits of entropy and separator characters and word capitalizing disabled:

setthenrolegiftdancing

Usage

<?php
require '/path/to/library/GenPhrase/Loader.php';
$loader = new GenPhrase\Loader();
$loader->register();
<?php
$gen = new GenPhrase\Password();

// Generate a passphrase using english words and (at least) 50 bits of entropy.
$gen->generate();

// Generate a passphrase using english words and custom amount of entropy.
// Entropy must be between 26.0 and 120.0 bits.
$gen->generate(46);

// Remove the default (english) wordlist. This is because we want to use only
// the Diceware list. If you add a new wordlist, but you do not remove the
// default wordlist, then GenPhrase will combine those wordlists.
$gen->removeWordlist('default');

// Add Diceware wordlist.
// $gen->addWordlist('/path/to/GenPhrase/Wordlists/diceware.lst', 'diceware');
// Or more simply (if you give just a filename, GenPhrase will look this
// filename from "Wordlists" folder automatically):
$gen->addWordlist('diceware.lst', 'diceware');
// When creating Diceware phrases, it is recommended not to capitalize any
// words and not to add separator characters (except space, which gets automatically added). To make that
// happen, we configure GenPhrase a little bit more:
$gen->disableSeparators(true); // No separator characters are inserted (except space)
$gen->disableWordModifier(true); // No words are capitalized or changed to lower case (words are not modified)
echo $gen->generate(65) // This will output six "word" passphrases.

// It is possible to force GenPhrase to always use separator characters
// (whether it "makes sense" or not).
// For example, if you generate a passphrase having 35 bits of entropy,
// with default settings, you would get something like: "word1 word2 word3".
// If you force the usage of separators, you would get something like:
// "word1!word2*word3".
$gen->alwaysUseSeparators(true);
// For possible use cases, see pull request #1.

// Change the separator characters.
$gen->setSeparators('123456789');
// NOTE: separator characters must be unique single-byte characters.
// NOTE: you must not use space as a separator character, because space is
// automatically added when appropriate.
// NOTE: minimum number of separator characters is 1. If there there is only
// one unique separator character, it won't add any entropy to the passphrase
// (passphrase may require extra word and become longer).

// Set character encoding. The encoding is used internally by GenPhrase when
// calling mb_ functions.
$gen->setEncoding('iso-8859-1');
// By default GenPhrase uses utf-8 encoding.

How is entropy calculated?

As long as we have only unique elements in our wordlist and each element is equally likely to be chosen, we can calculate the entropy per "element" (usually a word) as follows: log2(count_of_elements)

If we choose, say, 4 elements, the total entropy is: 4 * log2(count_of_elements)

If we choose 2 elements and one separator element: 2 * log2(count_of_elements) + log2(count_of_separators)

By default, GenPhrase will randomly (50:50 change) modify the first character of a word to either lower or upper case ("Apple" becomes "apple", "orange" becomes "Orange" etc.

In terms of entropy, this means we are actually doubling the "unique element count" (our wordlist has, say, a word "apple", so we could come up with a word "apple" or "Apple"): log2(2 * count_of_elements)

Issues or questions?

Mail me at [email protected] or use GitHub.

Comments
  • [Clarification request] entropie vs. length of wordlist file

    [Clarification request] entropie vs. length of wordlist file

    I set up a wordlist file with 26 lines comprising the words (characters) "a" .. "z".

    Each "word" contributes log2(26) = 4,7 bit okay ?

    My program

    <?php
    require 'library/GenPhrase/Loader.php';
    $loader = new GenPhrase\Loader();
    $loader->register();
    $gen = new GenPhrase\Password();
    # $gen->disableSeparators(false); // No separator characters are inserted
    
    $gen->disableWordModifier(true); // No words are capitalized or changed to lower case (words are not modified)
    $gen->setSeparators('--');
    $gen->alwaysUseSeparators(true);
    echo $gen->generate(52) . "\n";
    

    Example output: h-x-m-p-j-h-q-c-u-u

    generates only 10 "words", which means ~ 47 bit entropy instead of the requested 52.

    Pls. can you explain ?

    opened by Wikinaut 14
  • Mandate at least one word to begin with uppercase letter?

    Mandate at least one word to begin with uppercase letter?

    I'd really like to be able to force at least one word to begin with an uppercase letter but I don't see a way to achieve this currently with the library.

    Not a big deal, just thought it might be useful - specially since many systems enforce uppercase letters.

    What do you think?

    opened by twistedpixel 8
  • [Bug] Set of separators issue: I want all generated words separated by a certain character. This does not work as explained.

    [Bug] Set of separators issue: I want all generated words separated by a certain character. This does not work as explained.

    I wanted all generated words separated by a single dash "-".

    First I tried $gen->setSeparators('-'); This threw an error. Readme says, that always a "space" is automatically added to the set, but this appears to be wrong. Then I tried

    $gen->setSeparators('- '); // does not work either, see code below.

    So the syntax and/or explanation is weird, unclear. Please explain:

    How can a certain fixed separator like (" ") or ("-") be defined ? The current program version does not work correctly.


    Code:

    <?php
    require 'library/GenPhrase/Loader.php';
    $loader = new GenPhrase\Loader();
    $loader->register();
    $gen = new GenPhrase\Password();
    # $gen->disableSeparators(false); // No separator characters are inserted
    
    $gen->disableWordModifier(true); // No words are capitalized or changed to lower case (words are not modified)
    $gen->setSeparators('--');
    $gen->alwaysUseSeparators(true);
    echo $gen->generate(52) . "\n";
    
    opened by Wikinaut 4
  • [Suggestion] use EFF's new wordlist

    [Suggestion] use EFF's new wordlist

    See https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

    There are three differently flavoured lists available, one long one, and two short ones.

    opened by Wikinaut 2
  • Test enhancement

    Test enhancement

    Changed log

    • Using the psr-4 to load classes automatically.
    • Use the correct assertions to assert the result values.
    • Using the white list code coverage in phpunit.xml.dist.
    opened by peter279k 1
  • Add an option to always use specified separators

    Add an option to always use specified separators

    This option makes it so it always uses the separators list, ignoring the makesSenseToUseSeparators method. The reason I implemented this is because the password requirement for our domain needs an alphanumeric password with at least one uppercase character. This is achievable by setting '1234567890' as the separators list, and forcing it to be used with this option, then using a word modifier.

    opened by ChadSikorra 1
  • [Feature Request] Wordlists with > 65536 words

    [Feature Request] Wordlists with > 65536 words

    Right now, if you supply a wordlists with more than 65536 words, it errors our with:

    $poolSize must be between 2 and 65536

    If you change Random::MAX_ALLOWED_POOL_SIZE to 16,777,216 (2^24) and Random::MAX_ALLOWED_POWER_OF_TWO to 2,147,483,648 (2^31) you could start supporting wordlists with up to 16,777,216 words.

    Right now, in order to get my current wordlist to work (125,000 words), I have had to change these values manually. But there's no reason I can think of why this shouldn't be supported out of the box?

    opened by ProjectCleverWeb 9
Owner
timoh
timoh
Realistic PHP password strength estimate library based on Zxcvbn JS

Zxcvbn-PHP is a password strength estimator using pattern matching and minimum entropy calculation. Zxcvbn-PHP is based on the the Javascript zxcvbn p

Ben Jeavons 767 Dec 15, 2022
PHP Library to generate random passwords

Password Generator Library Simple library for generating random passwords. Requirements PHP >= 7.1 We only support PHP 7.3+ Installation Install Compo

Daniel Platt 256 Dec 9, 2022
Validates passwords against PHP's password_hash function using PASSWORD_DEFAULT. Will rehash when needed, and will upgrade legacy passwords with the Upgrade decorator.

Password Validator Password Validator validates password_hash generated passwords, rehashes passwords as necessary, and will upgrade legacy passwords.

Jeremy Kendall 142 Dec 25, 2022
A password policy enforcer for PHP and JavaScript

PasswordPolicy A tool for checking and creating password policies in PHP and JS. Installation Use composer to setup an autoloader php composer.phar in

Anthony Ferrara 74 Dec 2, 2022
Python implementation of the portable PHP password hashing framework

Portable PHP password hashing framework implemented in Python. This Python implementation meant to be an exact port of the the original PHP version.

Rez 46 Jul 19, 2022
Laravel CRUD Generator This Generator package provides various generators like CRUD, API, Controller, Model, Migration, View for your painless development of your applications.

Laravel CRUD Generator This Generator package provides various generators like CRUD, API, Controller, Model, Migration, View for your painless develop

AppzCoder 1.3k Jan 2, 2023
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Jan 6, 2023
PHP implementation of Nanoid, secure URL-friendly unique ID generator

Nanoid-php A tiny (179 bytes), secure URL-friendly unique string ID generator for JavaScript Safe. It uses cryptographically strong random APIs and gu

__hidehalo 548 Jan 4, 2023
The Salla OAuth Client library is designed to provide client applications with secure delegated access to Salla Merchant stores.

Salla Provider for OAuth 2.0 Client This package provides Salla OAuth 2.0 support for the PHP League's OAuth 2.0 Client. To use this package, it will

Salla 14 Nov 27, 2022
Secure the data of your sites by encrypting them. They will be decrypted only in your applications

PHP Crypter Secure the data of your sites by encrypting them. They will be decrypted only in your applications How to use ? You just have to include t

Claude Fassinou 7 Nov 26, 2022
One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP

otp-thing One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP Introduction This started

Daniel Krusky 25 Apr 29, 2022
InfyOm Laravel Generator - API, Scaffold, Tests, CRUD Laravel Generator

InfyOm Laravel Generator Generate Admin Panels CRUDs and APIs in Minutes with tons of other features and customizations with 3 different themes. Read

InfyOmLabs (InfyOm Technologies) 3.5k Jan 1, 2023
Laravel Design Pattern Generator (api generator)

Laravel Design Pattern Generator (api generator) you can create your restful api easily by using this library and you can filter, sort and include elo

HusseinAlaa 2 Sep 25, 2022
This bundle provides new generator command line tools for doctrine generator.

GenBundle This bundle provides new generator command line tools for doctrine generator, extending SensioGeneratorBundle. php bin/console gen:generate:

Koldo Picaza 5 Sep 6, 2016
The Current US Version of PHP-Nuke Evolution Xtreme v3.0.1b-beta often known as Nuke-Evolution Xtreme. This is a hardened version of PHP-Nuke and is secure and safe. We are currently porting Xtreme over to PHP 8.0.3

2021 Nightly Builds Repository PHP-Nuke Evolution Xtreme Developers TheGhost - Ernest Allen Buffington (Lead Developer) SeaBeast08 - Sebastian Scott B

Ernest Buffington 7 Aug 28, 2022
A spec compliant, secure by default PHP OAuth 2.0 Server

PHP OAuth 2.0 Server league/oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP which makes work

The League of Extraordinary Packages 6.2k Jan 4, 2023
Yii 2: The Fast, Secure and Professional PHP Framework

Yii 2 is a modern framework designed to be a solid foundation for your PHP application. It is fast, secure and efficient and works right out of the bo

Yii Software 14k Dec 31, 2022
A simple, secure, and scalable PHP application framework

Opulence Introduction Opulence is a PHP web application framework that simplifies the difficult parts of creating and maintaining a secure, scalable w

Opulence 732 Dec 30, 2022
CleverStyle Framework is simple, scalable, fast and secure full-stack PHP framework

CleverStyle Framework is simple, scalable, fast and secure full-stack PHP framework. It is free, Open Source and is distributed under Free Public Lice

Nazar Mokrynskyi 150 Apr 12, 2022
PHP Secure Communications Library

phpseclib - PHP Secure Communications Library Supporting phpseclib Become a backer or sponsor on Patreon One-time donation via PayPal or crypto-curren

null 4.9k Jan 7, 2023