I am facing a problem that's literally driving me nuts. Following scenario is given:
Bcrypt implementation via Zend\Crypt\Password\Bcrypt
So, whenever I create a fixed password on App A, synchronize them, authentication on App B works.
However, whenever I create a random password on App A, synchronize them, authentication on App B just won't work.
I pass the password created through a session to a front-end after a redirect.
$password = (string) rand(2938, 9578);
//$password = '12345678';
$bcrypt = new Bcrypt();
$bcrypt->setCost(14);
$entity->setPassword($bcrypt->create($password));
$entityService->save($entity);
$this->flashMessenger()->setNamespace('MpuServerUser')->addSuccessMessage(
"Benutzer-PIN erfolgreich erneuert. PIN: {$password}"
);
return $this->redirect()->toRoute('mpuserveruser');
As you can see that's the part that I'm facing troubles with. Whenever I create a new password for a User with a given string '123456', there are no problems, whatsoever.
But when I use the uncommented part $password = (string) rand(2938, 9578); the password I'm getting on my front-end won't authenticate.
There's no differences between trying with rand() or mt_rand(). Anyone any idea what the heck is going on here? ^^
Update - apparently only passwords that are of 6 chars or longer do work. Even if I set a predefined password of only 4 letters, it won't work.
Here's my piece of code:
(...)
//I USE ZfcUserAdmin MODULE
if ( $this->getOptions()->getCreateUserAutoPassword() ) {
//HERE'S WHERE I'VE TRIED
//\Zend\Math\Rand::getInteger( 2938, 9578 ); --> OK
//rand( 2938, 9578 ); --> OK
$rand = \Zend\Math\Rand::getString( 8 );
$user->setPassword( $rand );
}
$uncrypted_password = $user->getPassword();
$bcrypt = new Bcrypt;
//PASSWORD COST IS SET TO 14, LIKE YOU
$bcrypt->setCost( $userOptions->getPasswordCost() );
$user->setPassword( $bcrypt->create( $uncrypted_password ) );
(...)
The only difference between your solution and mine, is that you redirect and store the password in the session, while I just send an email to the user with the generated password. If I use the new credentials in the email, I can login without problems. Anyway, I think that's not the problem, I suppose it should be something in the BCrypt class.