Click here to close now.

Welcome!

PHP Authors: Carmen Gonzalez, Hovhannes Avoyan, Lori MacVittie, Trevor Parsons, Andreas Grabner

Related Topics: PHP, Cloud Security

PHP: Article

Using PHP to Enhance Password Security

Converting a phrase to a seemingly random password using PHP

When dictating password policies to users, it is common for such policies to require that users generate passwords that contain a combination of uppercase and lowercase letters, as well as numbers and special characters. Moreover, it is well established that the strengths of such passwords are further enhanced if the passwords do not in any way resemble dictionary words, since minor substitutions of dictionary words and names are often included in the dictionaries used in dictionary-based attacks and in some rainbow table variants. Thus "D3veloper" would be a less than ideal password since potentially it's an easily guessed variant of the word "developer."

A common recommendation for dealing with this issue is to suggest the use of randomly generated passwords such as "0Y=/S?tV". However, such passwords often pose great difficulty for many users to remember, which can lead to passwords being written down and hence result in a decrease rather than an increase in security. To resolve this issue, a technique has recently been suggested whereby the user turns an easily remembered phrase into a seemingly random password by taking the first letter of each word in the phrase and then performing character substitutions in order to introduce other character types such as numbers and special characters.

Thus, the user would take a phrase such as "The quick brown fox jumped over the lazy dog" and turn it into the character string "Tqbfjotld." They could then pick a character and replace it with an easily remembered number and then pick a second character and replace it with an easily remembered special character. Thus if the person's "b"irthday was on the 5th, perhaps they would associate "b" with number "5," and if they liked the J# programming language, perhaps they would associate "j" with "#."  Thus "b" and "j" could be replaced with their associated characters to make the password "Tq5f#otld"; a seemingly random password that can be recalled by the user using easy to remember mnemonic tricks.

This article demonstrates a small PHP5 script that can be used to convert user supplied phrases into such a seemingly random password. Before the PHP code itself is executed, however, an HTML form is initially used to allow the user to supply the phrase they are interested in, via text box, and specify their choice in character substitutions, via drop down boxes. The HTML code can be found in Listing 1 and a screenshot of the HTML form found in Figure 1.

Figure 1: The HTML interface used to accept user inputs

It is important to note that the HTML script uses the post action to submit the various HTML control values to the PHP script as follows. The text box element is named "Text" and is used to allow the user to enter his phrase of choice. Four drop down boxes are also used, where the drop down box "NumLet" allows the user to specify the letter that the user wants to replace with the number found in the drop down box "Num." Likewise, the "SpecLet" drop down box allows the user to specify the letter that the user wants to replace with the special character found in the drop down box "Spec."

Upon Execution, the PHP script accepts the values of these HTML controls and assigns them to like named variables as follows:

$passwd="";
$Phrase=$_POST['Text'];
$NumLet=$_POST['NumLet'];
$Num=$_POST['Num'];
$SpecLet=$_POST['SpecLet'];
$Spec=$_POST['Spec'];

Next, the PHP script uses the explode function to split the $Phrase string into an array of individual words (substrings), by using a space as the delimiter.  A for loop is then used to loop through all of the substrings and a regular expression, which makes use of the predefined "\w" subpattern used to identify the first letter of each substring.  The identified letter is then appended to the string stored in the variable $passwd to produce a string the consists of the first letter found in each substring as demonstrated below:

$words=explode(" ", $Phrase);
foreach($words as $word){
preg_match('/\w/', $word, $matches);
$passwd=$passwd . $matches[0];
}

Two additional regular expressions are then utilized to perform a match and replace operation, whereby the two user-specified letters are replaced with the respective user-selected number and special character, as shown below:

$passwd=preg_replace("/($NumLet)/i", "$Num", $passwd);
$passwd=preg_replace("/($SpecLet)/i", "$Spec", $passwd);

The password is then printed to the screen and to yield output like the representative one shown in Figure 2.

Figure 2: The seemingly random password that results from the information specified in Figure 1.

All in all, this article demonstrates a PHP5 script that can be used to automate the conversion of any user-specified phrase into a seemingly random password. Both the HTML code and the PHP5 code (see Listing 2 for complete code) can be easily modified to enhance compliance with organizational policies and as such can provide a useful tool for enhancing password policy compliance and password security throughout any organization. A version of the software is also being hosted at http://www.insilicobiotechnologies.com/PasswdMkr/PhrasetoPassIn.html for anyone who wishes to make use of the application in the format specified here.

More Stories By Christopher Frenz

Christopher Frenz is the author of "Visual Basic and Visual Basic .NET for Scientists and Engineers" (Apress) and "Pro Perl Parsing" (Apress). He is a faculty member in the Department of Computer Engineering at the New York City College of Technology (CUNY), where he performs computational biology and machine learning research.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that WHOA.com, an ISO 27001 Certified secure cloud computing company, participated as “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which took place June 9-11, 2015, at the Javits Center in New York City, NY. WHOA.com is a leader in next-generation, ISO 27001 Certified secure cloud solutions. WHOA.com offers a comprehensive portfolio of best-in-class cloud services for business including Infrastructure as a Service (IaaS), Secure Cloud Desktop, Cloud Storage, Disaster Recovery, Integrated Applications and Security.
SYS-CON Events announced today that Intelligent Systems Services will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Established in 1994, Intelligent Systems Services Inc. is located near Washington, DC, with representatives and partners nationwide. ISS’s well-established track record is based on the continuous pursuit of excellence in designing, implementing and supporting nationwide clients’ mission-critical systems. ISS has completed many successful projects in Healthcare, Commercial, Manu...
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists addressed this very serious issue of profound change in the industry.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal an...
SYS-CON Events announced today that kintone has been named “Bronze Sponsor” of SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. kintone promotes cloud-based workgroup productivity, transparency and profitability with a seamless collaboration space, build your own business application (BYOA) platform, and workflow automation system.
Discussions about cloud computing are evolving into discussions about enterprise IT in general. As enterprises increasingly migrate toward their own unique clouds, new issues such as the use of containers and microservices emerge to keep things interesting. In this Power Panel at 16th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the state of cloud computing today, and what enterprise IT professionals need to know about how the latest topics and trends affect their organization.
SYS-CON Events announced today that SoftLayer, an IBM company, has been named “Gold Sponsor” of SYS-CON's 17th International Cloud Expo®, which will take place November 3–5, 2015 at the Santa Clara Convention Center in Santa Clara, CA. SoftLayer operates a global cloud infrastructure platform built for Internet scale. With a global footprint of data centers and network points of presence, SoftLayer provides infrastructure as a service to leading-edge customers ranging from Web startups to global enterprises. SoftLayer’s modular architecture, full-featured API, and sophisticated automation pro...
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS – software, platform, and infrastructure as a service.
The enterprise market will drive IoT device adoption over the next five years. In his session at @ThingsExpo, John Greenough, an analyst at BI Intelligence, division of Business Insider, analyzed how companies will adopt IoT products and the associated cost of adopting those products. John Greenough is the lead analyst covering the Internet of Things for BI Intelligence- Business Insider’s paid research service. Numerous IoT companies have cited his analysis of the IoT. Prior to joining BI Intelligence, he worked analyzing bank technology for Corporate Insight and The Clearing House Payment...
SYS-CON Events announced today that CommVault has been named “Bronze Sponsor” of SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. A singular vision – a belief in a better way to address current and future data management needs – guides CommVault in the development of Singular Information Management® solutions for high-performance data protection, universal availability and simplified management of data on complex storage networks. CommVault's exclusive single-platform architecture gives companies unp...
"ciqada is a combined platform of hardware modules and server products that lets people take their existing devices or new devices and lets them be accessible over the Internet for their users," noted Geoff Engelstein of ciqada, a division of Mars International, in this SYS-CON.tv interview at @ThingsExpo, held June 9-11, 2015, at the Javits Center in New York City.
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fillin...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Among the proven benefits, DevOps is corr...
Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application. In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, discussed how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at the same time reduce Time to Market (TTM) by using plug and play capabilities offered by a robust IoT ...
SYS-CON Events announced today that Secure Infrastructure & Services will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Secure Infrastructure & Services (SIAS) is a managed services provider of cloud computing solutions for the IBM Power Systems market. The company helps mid-market firms built on IBM hardware platforms to deploy new levels of reliable and cost-effective computing and high availability solutions, leveraging the cloud and the benefits of Infrastructure-as-a-Service (IaaS...
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, will explore the IoT cloud-based platform technologies driving this change including privacy controls, data transparency and integration of real time context wi...
The basic integration architecture, as defined by ESBs, hasn’t changed for more than a decade. Most cloud integration providers still rely on an ESB architecture and their proprietary connectors. As a result, enterprise integration projects suffer from constraints of availability and reliability of these connectors that are not re-usable across other integration vendors. However, the rapid adoption of APIs and almost ubiquitous availability of APIs amongst most SaaS and Cloud applications are rapidly redefining traditional integration approaches and their reliance on proprietary connectors. ...
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, described how to revolutionize your archit...