09-19-2017, 11:23 PM
@Brandin. Are you talking about auto generate passwords?
What I tend to do is to do a token generate then bcrypt that then bycrypt the bcrypt so it's essentially an unknowable password (since bcrypt is not a deterministic hash the results of the same token are different). Then I force the user to go through the password reset to get their own password. If you're talking about autogenerating a password that we send them, my thought would be to bcrypt something to get pseudorandom noise and then give them characters 8-19 as their password to give them a pseudorandom unpredictable password that we can share.
Does that make sense?
1. Generate a random token.
2. Bcrypt it (don't store it)
3. Shorten the string to only characters 8-19 (since characters 1-7 are always $2y$12$
4. Bcrypt that 12 character string as their password store that to the database and then you can send them the password.
The problem is that doing it that way, the pw would be in plain text in email, so they should still reset the pw, which brings you back to creating a password that even you don't know.
What I tend to do is to do a token generate then bcrypt that then bycrypt the bcrypt so it's essentially an unknowable password (since bcrypt is not a deterministic hash the results of the same token are different). Then I force the user to go through the password reset to get their own password. If you're talking about autogenerating a password that we send them, my thought would be to bcrypt something to get pseudorandom noise and then give them characters 8-19 as their password to give them a pseudorandom unpredictable password that we can share.
Does that make sense?
1. Generate a random token.
2. Bcrypt it (don't store it)
3. Shorten the string to only characters 8-19 (since characters 1-7 are always $2y$12$
4. Bcrypt that 12 character string as their password store that to the database and then you can send them the password.
The problem is that doing it that way, the pw would be in plain text in email, so they should still reset the pw, which brings you back to creating a password that even you don't know.