Improved password generation

- Added RandomNumberGenerator usage (CSPRNG) - Rewrote the algorithm to avoid biases.
x360ce · Jan 28, 2022 · 2ef1fb5 · 2ef1fb5
1 parent b93a957
commit 2ef1fb5
Showing 1 changed file with 9 additions and 13 deletions.
diff --git a/x360ce.Web/Security/Controls/CreateUser.ascx.cs b/x360ce.Web/Security/Controls/CreateUser.ascx.cs
@@ -11,6 +11,7 @@
 using SecurityClassesDataContext = JocysCom.WebSites.Engine.Security.Data.SecurityEntities;
 using JocysCom.WebSites.Engine.Security;
 using System.Web.UI.HtmlControls;
+using System.Security.Cryptography;
 
 namespace JocysCom.Web.Security.Controls
 {
@@ -131,22 +132,17 @@ protected override void OnInit(EventArgs e)
 		}
 
 		/// <summary>
-		/// Generate easy to remember password.
+		/// Generates a pseudorandom password that cannot be predicted.
 		/// </summary>
-		/// <returns></returns>
-		public string NewPassword()
+		/// <returns>A string representing a securely-generated password.</returns>
+		public string NewPassword(uint length = 0, string charlist = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"£$%^&*()_+=-{}[]:@~;'#/,.<>?\\")
 		{
-			var rnd = new Random();
-			string chars = "qwxzQWZX";
-			;
-			string volves = "aeiouyAEIOUY".Replace(chars, "");
-			string consonants = "bcdfghjklmnpqrstvwxzBCDFGHJKLMNPQRSTVWXZ".Replace(chars, "");
+			if (length == 0) {
+				length = (uint)RandomNumberGenerator.GetInt32(12, 32 + 1);
+			}
 			string password = string.Empty;
-
-			for (int i = 0; i < 8; i++)
-			{
-				string choice = (i % 2 == 0) ? consonants : volves;
-				password += choice[rnd.Next(choice.Length)].ToString();
+			for (uint i = 0; i < length; i++) {
+				password += charlist[RandomNumberGenerator.GetInt32(charlist.Length)];
 			}
 			return password;
 		}