On his blog, Jonathan Street has posted some "random thoughts" on generating random (or not so random) strings in PHP.

Humans are astoundingly bad at being random and I just slapped the keyboard a few times until I felt I had the required 16 characters. Writing some code to produce a fairly random string is incredibly easy. I've easily done it a dozen times or more. Though only because it is easier to re-write it than to find where I put the last one

He gives two examples that work, but aren't the best possibilities for making truly random strings - one using mt_rand to select a random character from a string and the other using the same idea but instead using the char() function to replace the string of characters.

His other examples include the use of the uniqid function with the more_entropy setting enabled and an md5 or sha1 hash (for which he gives positives and negtives).

A new tutorial has been posted over on AnyExample.com dealing with password generation in PHP. This type of script can be useful for creating a default password for your application to give initially to the user.

Modern web-applications often provide (during registration, or password-reset) random-generated passwords for its users. However these passwords (usually a random combination of letters or numbers) are quite hard to remember: in fact, it's even impossible to read them. This article provides a function for generating English-like readable passwords.

The key difference in this script is that last sentence - making the passwords somewhat human-readable. They give an example of what the traditional (md5-ish) approach to making passwords is before giving the code to create something a bit easier to remember like "lyttakor" or "fapoution". Example usage code is also provided.

David Coallier has posted about his ideas for an Open Source, free PHP security scanner:

The idea of this project is quite simple, I was thinking that offering this service to anyone who requests it could be a very nice idea. Offering to run the scan is the only way I could ensure that people are not using this scanner against any website.

Basically, his idea is to offer this service free of charge, but still restrict it to avoid malicious use. It would involve validation via an md5 hash to ensure that the website has been authorized to run it. Check out the blog entry for more details on how the scan would be run.

Ryan Malesevich is taking a break from his look at some handy WordPress packages to share a small series on how to move from using MD5 hashes out to SHA-1 hashes for passwords in a MySQL database. He's posted part one today.

What if you're using MD5 in your web application and want to switch over to another encryption method. It's actually not that hard and I plan to cover them in this multi-part tutorial (I know I planned on writing this months ago, but it's better late then never). In this first part I plan on going over updating the database structure and a 'pseudo-code' of what will need to be done.

As mentioned, he gives the outline (pseudo-code) of how the process will work - basically, creating an SHA1 hash of the MD5 and the username in a "newpassword" column added to your database.

PHPit.net is back today with another new tutorial - this time it concerns the safe handling of passwords in your PHP scripts.

If you're ever going to create a script that involves users or passwords, which is very likely, you'll probably run across security issues with handling the passwords. You can't just store the passwords in clear text in your database, and great care must be used when managing the passwords (for example during login).

In this article I will show you everything that you have to think about when handling passwords in PHP, and how to solve some common problems.

They offer suggestions like storying them hashed (md5 or sha1), protecting them with a salt, SSL certificates, and how to manage their use with things like cookies and sessions.